| CVE-2026-24441 | | 0.00 | — | 0.00 | | Feb 3, 2026 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. |
| CVE-2026-24434 | | 0.00 | — | 0.00 | | Feb 3, 2026 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings. |
| CVE-2026-24427 | | 0.00 | — | 0.00 | | Feb 3, 2026 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile. |
| CVE-2026-24426 | | 0.00 | — | 0.00 | | Feb 3, 2026 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser context. |
