VYPR
Unrated severityNVD Advisory· Published Feb 7, 2026· Updated Mar 5, 2026

Tenda G300-F Command Injection via formSetWanDiag

CVE-2026-25857

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Tenda/G300-Fllm-create2 versions
    <=16.01.14.2+ 1 more
    • (no CPE)range: <=16.01.14.2
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.