{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4254", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-16T06:16:10.100Z", "datePublished": "2026-03-16T17:32:11.090Z", "dateUpdated": "2026-03-16T18:29:35.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-16T17:32:11.090Z"}, "title": "Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "Tenda", "product": "AC8", "versions": [{"version": "16.03.50.0", "status": "affected"}, {"version": "16.03.50.1", "status": "affected"}, {"version": "16.03.50.2", "status": "affected"}, {"version": "16.03.50.3", "status": "affected"}, {"version": "16.03.50.4", "status": "affected"}, {"version": "16.03.50.5", "status": "affected"}, {"version": "16.03.50.6", "status": "affected"}, {"version": "16.03.50.7", "status": "affected"}, {"version": "16.03.50.8", "status": "affected"}, {"version": "16.03.50.9", "status": "affected"}, {"version": "16.03.50.10", "status": "affected"}, {"version": "16.03.50.11", "status": "affected"}], "cpes": ["cpe:2.3:o:tenda:ac8_firmware:*:*:*:*:*:*:*:*"], "modules": ["HTTP Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "CRITICAL"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-16T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-16T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-16T07:21:20.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "DigitalAndrew (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.351212", "name": "VDB-351212 | Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351212", "name": "VDB-351212 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771773", "name": "Submit #771773 | Tenda AC8 V5 V16.03.50.11 Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/digitalandrew/tenda_ac8_v5/blob/main/CVE_Report_Tenda_AC8_SysToolChangePwd_BOF.md", "tags": ["exploit"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:29:16.971487Z", "id": "CVE-2026-4254", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:29:35.800Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4254", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T18:29:16.971487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:29:30.363Z"}}], "cna": {"title": "Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow", "credits": [{"lang": "en", "type": "reporter", "value": "DigitalAndrew (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:tenda:ac8_firmware:*:*:*:*:*:*:*:*"], "vendor": "Tenda", "modules": ["HTTP Endpoint"], "product": "AC8", "versions": [{"status": "affected", "version": "16.03.50.0"}, {"status": "affected", "version": "16.03.50.1"}, {"status": "affected", "version": "16.03.50.2"}, {"status": "affected", "version": "16.03.50.3"}, {"status": "affected", "version": "16.03.50.4"}, {"status": "affected", "version": "16.03.50.5"}, {"status": "affected", "version": "16.03.50.6"}, {"status": "affected", "version": "16.03.50.7"}, {"status": "affected", "version": "16.03.50.8"}, {"status": "affected", "version": "16.03.50.9"}, {"status": "affected", "version": "16.03.50.10"}, {"status": "affected", "version": "16.03.50.11"}]}], "timeline": [{"lang": "en", "time": "2026-03-16T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-16T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-16T07:21:20.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351212", "name": "VDB-351212 | Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351212", "name": "VDB-351212 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771773", "name": "Submit #771773 | Tenda AC8 V5 V16.03.50.11 Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/digitalandrew/tenda_ac8_v5/blob/main/CVE_Report_Tenda_AC8_SysToolChangePwd_BOF.md", "tags": ["exploit"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-16T17:32:11.090Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4254", "state": "PUBLISHED", "dateUpdated": "2026-03-16T18:29:35.800Z", "dateReserved": "2026-03-16T06:16:10.100Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-16T17:32:11.090Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac8_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEDAB468-CE0D-4BBD-B3B7-25DF2ECDEA37", "versionEndIncluding": "16.03.50.11", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac8:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "2C8EA663-E451-426B-8CC7-B281436CCFB8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en Tenda AC8 hasta la versi\u00f3n 16.03.50.11. Esta vulnerabilidad afecta a la funci\u00f3n doSystemCmd del archivo /goform/SysToolChangePwd del componente Endpoint HTTP. Esta manipulaci\u00f3n del argumento local_2c causa un desbordamiento de b\u00fafer basado en pila. El ataque puede iniciarse remotamente. El exploit se ha puesto a disposici\u00f3n del p\u00fablico y podr\u00eda usarse para ataques."}], "id": "CVE-2026-4254", "lastModified": "2026-03-20T13:35:42.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-16T18:16:10.773", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/digitalandrew/tenda_ac8_v5/blob/main/CVE_Report_Tenda_AC8_SysToolChangePwd_BOF.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.351212"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.351212"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.771773"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.tenda.com.cn/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.50.11"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AC8", "source": "cna", "vendor": "Tenda"}, "product": "ac8", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-03-20T15:35:31.877011+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update that addresses the stack\u2011based overflow (version greater than 16.03.50.11).", "If an update is not yet available, restrict external access to the router\u2019s web interface or block the /goform/SysToolChangePwd endpoint with firewall rules.", "Consider isolating the router from untrusted networks through network segmentation or a dedicated VLAN."], "summary": {"action": "Immediate Patch", "impact": "Stack-based Buffer Overflow (Remote)"}, "threat_synthesis": {"affected_systems": "Tenda AC8 routers running firmware versions up to and including 16.03.50.11 are affected. The vulnerability targets the component HTTP Endpoint, specifically the function doSystemCmd within /goform/SysToolChangePwd. CPE identifiers cpe:2.3:h:tenda:ac8:5.0:*:*:*:*:*:*:* and cpe:2.3:o:tenda:ac8_firmware:*:*:*:*:*:*:* indicate the impacted product model and firmware family.", "description_and_impact": "A stack-based buffer overflow was discovered in the HTTP endpoint /goform/SysToolChangePwd of the Tenda AC8 router. The vulnerability is caused by manipulation of the argument local_2c in the doSystemCmd function, which overflows a stack buffer. The described impact is that an attacker can initiate the exploit remotely and the public exploit code is available. Based on the description, it is inferred that an attacker may potentially execute arbitrary code on the device.", "risk_and_exploitability": "The base CVSS score is 9.3, indicating critical severity, and the EPSS score is less than 1\u202f%, suggesting a low likelihood of in\u2011the\u2011wild exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is described as remote via HTTP, with no authentication requirement. Based on the nature of the overflow, it is inferred that an attacker could potentially execute arbitrary code on the device."}}}}, "created": "2026-03-17T09:52:27.283055+00:00", "updated": "2026-03-24T10:50:07.677773+00:00", "vendors": ["tenda", "tenda$PRODUCT$ac8"]}