Medium severity4.7NVD Advisory· Published May 11, 2026· Updated May 11, 2026

CVE-2026-8265

Description

A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

Affected products

Tenda/Ac6 Firmware
cpe:2.3:o:tenda:ac6_firmware:15.03.06.23:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20get_log_file%20Command%20Injection%20via%20wans.flag.mdnvdExploitThird Party Advisory
vuldb.com/submit/810076nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/362562nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/362562/ctinvdPermissions RequiredVDB Entry
www.tenda.com.cnnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000