Unrated severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026

Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow

CVE-2026-4254

Description

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Affected products

Tenda/Ac8 Firmwarev5
cpe:2.3:o:tenda:ac8_firmware:*:*:*:*:*:*:*:*
Range: 16.03.50.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/digitalandrew/tenda_ac8_v5/blob/main/CVE_Report_Tenda_AC8_SysToolChangePwd_BOF.mdmitreexploit
vuldb.commitrethird-party-advisory
vuldb.commitresignaturepermissions-required
vuldb.commitrevdb-entrytechnical-description
www.tenda.com.cnmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000