CVE-2026-4254 PUBLISHED

Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow

Assigner: VulDB
Reserved: 16.03.2026 Published: 16.03.2026 Updated: 16.03.2026

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
CVSS Score: 9.3

Product Status

Vendor Tenda
Product AC8
Versions
  • Version 16.03.50.0 is affected
  • Version 16.03.50.1 is affected
  • Version 16.03.50.2 is affected
  • Version 16.03.50.3 is affected
  • Version 16.03.50.4 is affected
  • Version 16.03.50.5 is affected
  • Version 16.03.50.6 is affected
  • Version 16.03.50.7 is affected
  • Version 16.03.50.8 is affected
  • Version 16.03.50.9 is affected
  • Version 16.03.50.10 is affected
  • Version 16.03.50.11 is affected

Credits

  • DigitalAndrew (VulDB User) reporter

References

Problem Types

  • Stack-based Buffer Overflow CWE
  • Memory Corruption CWE