Moole Vulnerability Database

Find real vulnerabilities before they ship

High

CVE-2026-8265

A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

VectorNETWORK

PublishedMay 11, 2026, 04:16

Published Bycna@vuldb.com

Base Score

Score7.2

Affected Versions

No affected versions found.

References

https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20get_log_file%20Command%20Injection%20via%20wans.flag.md
https://vuldb.com/submit/810076
https://vuldb.com/vuln/362562
https://vuldb.com/vuln/362562/cti
https://www.tenda.com.cn/

Weakness Type

CWE-77

CVSS Metrics

Base Score

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base SeverityLow

Version

4.0

Attack Vector (AV)

NETWORK