{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27514", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-19T19:51:07.328Z", "datePublished": "2026-02-23T16:27:38.171Z", "dateUpdated": "2026-05-11T23:11:27.235Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Tenda F3", "vendor": "Shenzhen Tenda Technology Co., Ltd.", "versions": [{"lessThanOrEqual": "12.01.01.55_multi", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:f3_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.01.01.55_multi"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Shenzhen Tenda F3 <span style=\"background-color: rgb(255, 255, 255);\">Wireless Router</span>&nbsp;firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data."}], "value": "Shenzhen Tenda F3 Wireless Router\u00a0firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-525", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:27.235Z"}, "references": [{"tags": ["product"], "url": "https://www.tendacn.com/product/F3"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/tenda-f3-plaintext-credential-exposure-in-configuration-download"}], "source": {"discovery": "EXTERNAL"}, "title": "Tenda F3 Plaintext Credential Exposure in Configuration Download", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:29:06.264210Z", "id": "CVE-2026-27514", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:31:35.987Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27514", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:29:06.264210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:30:37.444Z"}}], "cna": {"title": "Tenda F3 Plaintext Credential Exposure in Configuration Download", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Shenzhen Tenda Technology Co., Ltd.", "product": "Tenda F3", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "12.01.01.55_multi"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.tendacn.com/product/F3", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-f3-plaintext-credential-exposure-in-configuration-download", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Shenzhen Tenda F3 Wireless Router\u00a0firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.", "supportingMedia": [{"type": "text/html", "value": "Shenzhen Tenda F3 <span style=\"background-color: rgb(255, 255, 255);\">Wireless Router</span>&nbsp;firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-525", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-23T16:27:38.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27514", "state": "PUBLISHED", "dateUpdated": "2026-02-23T18:31:35.987Z", "dateReserved": "2026-02-19T19:51:07.328Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-23T16:27:38.171Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:f3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C94698A5-D2EE-45CD-AB06-4BD30F252920", "versionEndIncluding": "12.01.01.55_multi", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:f3:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE9480BB-FC48-4614-A003-A991109FBCAF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda F3 Wireless Router\u00a0firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data."}], "id": "CVE-2026-27514", "lastModified": "2026-02-23T20:11:48.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-23T17:23:30.087", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.tendacn.com/product/F3"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/tenda-f3-plaintext-credential-exposure-in-configuration-download"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-525"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.01.01.55_multi]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Tenda F3", "source": "cna", "vendor": "Shenzhen Tenda Technology Co., Ltd."}, "product": "f3", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-04-17T16:16:31.054172+00:00", "value": {"mitigation_remediation": ["Apply the latest Tenda F3 firmware update that removes the plaintext credentials from the configuration download response, addressing the CWE\u2011201 and CWE\u2011525 weaknesses.", "Restrict access to the configuration download endpoint so that only authenticated administrative sessions can invoke it, preventing unauthenticated users from triggering the exploit.", "Ensure the endpoint returns appropriate Cache\u2011Control headers (e.g., no-cache, max-age=0) or otherwise prevent caching of the configuration data, stopping credential leakage via client\u2011side caches."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Tenda F3 wireless router from Shenzhen Tenda Technology Co., Ltd. The specific firmware revision documented as vulnerable is V12.01.01.55_multi. No other versions are listed as affected in the current advisory.", "description_and_impact": "Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi allows the configuration download response to contain both the router password and the administrative password in plaintext, a flaw characterized by CWE\u2011201 Sensitive Information Exposure and CWE\u2011525 Stored Sensitive Information in Plaintext. The missing Cache\u2011Control headers mean the response can be stored in client\u2011side caches, providing a secondary leakage path where local users or processes with access to cached browser data can recover credentials. Attackers who can trigger the configuration download endpoint, or who later locate cached copies, can obtain confidential credentials that could be used to upload firmware, modify settings, or pivot to other parts of the home network.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a high severity of confidentiality breach. The EPSS score of less than 1% suggests that, while the vulnerability is serious, its exploitation probability is currently very low. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires the attacker to possess network access to the router and be able to trigger the configuration download endpoint; it may also be leveraged by anyone who obtains cached configuration data locally. No additional exploitation conditions are documented, so the primary risk is disclosure of credentials rather than denial\u2011of\u2011service or remote code execution."}}}}, "created": "2026-02-24T09:55:30.320132+00:00", "updated": "2026-04-17T16:30:05.820394+00:00", "vendors": ["tenda", "tenda$PRODUCT$f3"]}