Unrated severityNVD Advisory· Published Feb 7, 2026· Updated Mar 5, 2026

Tenda G300-F Command Injection via formSetWanDiag

CVE-2026-25857

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Affected products

Shenzhen Tenda Technology/Tenda G300 Fv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.evan.lat/blog/cve-2026-25857/mitretechnical-descriptionexploit
www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiagmitrethird-party-advisory
www.tendacn.com/material/show/736333682028613mitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000