CVE-2026-8263 PUBLISHED

A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

• ST4R (VulDB User) reporter

• VDB-362560 | Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection
• VDB-362560 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #810074 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection via mac/ssid
• https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromSetWirelessRepeat.md
• https://www.tenda.com.cn/

• OS Command Injection CWE
• Command Injection CWE