CVE-2026-11556

Published Jun 8, 2026

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-11556 describes an OS command injection vulnerability found in specific versions of the Tenda F451 router. This flaw affects versions 1.0.0.7 and 1.0.0.9 of the device. The vulnerability resides within the Web Management Interface, specifically in the `formWriteFacMac` function located in the `/goform/WriteFacMac` file. By manipulating the `mac` argument, an attacker can perform OS command injection, enabling the execution of arbitrary commands on the affected device. Remote exploitation of this vulnerability is possible, and a public exploit has been released.

Description: A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Source: cna@vuldb.com
NVD status: Deferred

Risk scores

CVSS 4.0

Type: Secondary
Base score: 7.4
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Secondary
Base score: 9
Impact score: 10
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:C/I:C/A:C

Weaknesses

cna@vuldb.com: CWE-77

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 4

References

Sources include official advisories and independent security research.