High severity8.8NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026

CVE-2026-4906

Description

A vulnerability was determined in Tenda AC5 15.03.06.47. The affected element is the function decodePwd of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

Affected products

Tenda/Ac5 Firmware
cpe:2.3:o:tenda:ac5_firmware:15.03.06.47:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lavender-bicycle-a5a.notion.site/Tenda_AC5_WizardHandle_PPW-32053a41781f80cab094d750d30dc9a8nvdExploitThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry
www.tenda.com.cnnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000