{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38834", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T19:23:17.157Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:56:31.418Z"}, "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:23:00.511813Z", "id": "CVE-2026-38834", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:23:17.157Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-38834", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:23:00.511813Z"}}}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:19:35.452Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md"}], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:56:31.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38834", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:23:17.157Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:w30e_firmware:16.01.0.21:*:*:*:*:*:*:*", "matchCriteriaId": "212C8B7B-FCC1-4C1C-92FD-374E4FC2B893", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "id": "CVE-2026-38834", "lastModified": "2026-04-27T16:44:38.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T17:16:53.257", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jsjbcyber/repo/blob/main/rep_1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "V16.01.0.21"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "w30e", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-04-28T16:19:25.902304+00:00", "value": {"mitigation_remediation": ["Check the Tenda website for a firmware update that addresses the command injection flaw and apply it as soon as possible.", "If no patch is available, limit access to the router\u2019s web management interface to the local network only; block WAN access to ports 80/443 with a firewall or router ACLs.", "Disable the ping functionality or the do_ping_action feature in the router\u2019s settings to eliminate the vulnerable code path.", "Monitor network traffic for anomalous requests targeting the router\u2019s status page and review system logs for evidence of exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The only affected system documented is the Tenda W30E wireless router running firmware V2.0 V16.01.0.21. No additional vendor or product versions are listed.", "description_and_impact": "Tenda W30E routers running firmware V2.0 V16.01.0.21 are vulnerable to a command injection flaw in the do_ping_action function via the hostName parameter. This weakness allows an attacker to craft a request that causes the router to execute arbitrary operating\u2011system commands with the privileges of the web service, leading to full compromise of the device. The vulnerability falls under the category of OS Command Injection (CWE\u201177).", "risk_and_exploitability": "Tenda W30E routers exposed to the web management interface are vulnerable to remote code execution via a crafted HTTP request that triggers the do_ping_action function. The EPSS score of 5% indicates a relatively low but non\u2011zero likelihood of exploitation. The vulnerability has not been listed in the CISA KEV catalog, and there is no known evidence of widespread exploitation; however, the potential impact remains high if the interface is reachable. The CVSS score of 7.3 points to a high severity."}}}}, "created": "2026-04-21T18:30:27.393112+00:00", "title": "Command Injection in Tenda W30E Firmware V2.0 via do_ping_action", "updated": "2026-04-28T16:30:35.089294+00:00", "vendors": ["tenda", "tenda$PRODUCT$w30e"]}