Details of VAR-202601-4993

ID

VAR-202601-4993

CVE

CVE-2026-24435

DESCRIPTION

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests.

Trust: 1.0

sources: NVD: CVE-2026-24435

AFFECTED PRODUCTS

vendor:

tenda

model:

w30e

scope:

lte

version:

16.01.0.19\(5037\)

Trust: 1.0

sources: NVD: CVE-2026-24435

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-24435
value:	MEDIUM
Trust: 1.0
disclosure@vulncheck.com:	CVE-2026-24435
value:	HIGH
Trust: 1.0

nvd@nist.gov:	CVE-2026-24435
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: NVD: CVE-2026-24435 // NVD: CVE-2026-24435

PROBLEMTYPE DATA

problemtype:

CWE-942

Trust: 1.0

sources: NVD: CVE-2026-24435

EXTERNAL IDS

db:

NVD

id:

CVE-2026-24435

Trust: 1.0

sources: NVD: CVE-2026-24435

REFERENCES

url:	https://www.tendacn.com/product/w30e	Trust: 1.0
url:	https://www.vulncheck.com/advisories/tenda-w30e-v2-permissive-cors-allows-cross-origin-data-access	Trust: 1.0

sources: NVD: CVE-2026-24435

SOURCES

db:

NVD

id:

CVE-2026-24435

LAST UPDATE DATE

2026-02-12T23:51:06.621000+00:00

SOURCES UPDATE DATE

db:

NVD

id:

CVE-2026-24435

date:

2026-02-02T19:56:16.290

SOURCES RELEASE DATE

db:

NVD

id:

CVE-2026-24435

date:

2026-01-26T18:16:41.030