{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38835", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:35:41.189Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:59:46.480Z"}, "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:52:32.919545Z", "id": "CVE-2026-38835", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:35:41.189Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-38835", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:52:32.919545Z"}}}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:53:02.279Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:59:46.480Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38835", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:35:41.189Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:w30e_firmware:16.01.0.21:*:*:*:*:*:*:*", "matchCriteriaId": "212C8B7B-FCC1-4C1C-92FD-374E4FC2B893", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "id": "CVE-2026-38835", "lastModified": "2026-04-27T16:44:10.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T17:16:53.357", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,16.01.0.21]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "w30e", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-04-28T21:31:41.273693+00:00", "value": {"mitigation_remediation": ["Check the Tenda support website for the latest firmware that fixes this issue and install it when available.", "Restrict the router\u2019s management interface to trusted IPs or VPN access and disable remote management where possible.", "If the USB partition feature is not required, disable it or block the formSetUSBPartitionUmount endpoint from processing the usbPartitionName parameter.", "Monitor router logs for unexpected usbPartitionName activity and investigate any anomalies."], "summary": {"action": "Patch Required", "impact": "Remote Command Execution via crafted usbPartitionName in formSetUSBPartitionUmount"}, "threat_synthesis": {"affected_systems": "The issue affects devices running Tenda W30E firmware version V2.0 V16.01.0.21. No other vendors or product releases are listed as impacted.", "description_and_impact": "Command injection exists in the formSetUSBPartitionUmount function of the Tenda W30E router. By supplying a crafted usbPartitionName value, an attacker can inject and execute arbitrary operating\u2011system commands on the device. The vulnerability allows full control over the router with the privileges of the firmware, which can lead to compromise of the entire network or further lateral movement.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. The EPSS score of < 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector for exploitation is via the router\u2019s web interface, typically from a local network or through compromised credentials. No official patch or workaround has been released yet."}}}}, "created": "2026-04-21T18:30:27.392593+00:00", "title": "Command Injection via USB Partition Name in Tenda W30E Router", "updated": "2026-04-28T21:45:26.132493+00:00", "vendors": ["tenda", "tenda$PRODUCT$w30e"]}