Details of VAR-202603-0211

ID

VAR-202603-0211

CVE

CVE-2026-24101

TITLE

Shenzhen Tenda Technology Co.,Ltd. of AC15 in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2026-005975

DESCRIPTION

An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability. When certain conditions are met, `s1_1` But sub_B0488 is passed to `doSystemCmd` will be concatenated to `s1_1` The value of is not validated, which could lead to a command injection vulnerability.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software may stop working completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-24101 // JVNDB: JVNDB-2026-005975

AFFECTED PRODUCTS

vendor:	tenda	model:	ac15	scope:	eq	version:	15.03.05.18_multi	Trust: 1.0
vendor:	tenda	model:	ac15	scope:	-	version:	-	Trust: 0.8
vendor:	tenda	model:	ac15	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	ac15	scope:	eq	version:	ac15 firmware 15.03.05.18_multi	Trust: 0.8

sources: JVNDB: JVNDB-2026-005975 // NVD: CVE-2026-24101

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2026-24101
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2026-005975
value:	CRITICAL
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2026-24101
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-005975
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-005975 // NVD: CVE-2026-24101

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-005975 // NVD: CVE-2026-24101

PATCH

title:

CVEreport/D-link/CVE-2026-24101 at main akuma-QAQ/CVEreport GitHub

url:

https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24101

Trust: 0.8

sources: JVNDB: JVNDB-2026-005975

EXTERNAL IDS

db:	NVD	id:	CVE-2026-24101	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-005975	Trust: 0.8

sources: JVNDB: JVNDB-2026-005975 // NVD: CVE-2026-24101

REFERENCES

url:	https://www.tenda.com.cn/material/show/2710	Trust: 1.8
url:	https://github.com/akuma-qaq/cvereport/tree/main/d-link/cve-2026-24101	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-24101	Trust: 0.8

sources: JVNDB: JVNDB-2026-005975 // NVD: CVE-2026-24101

SOURCES

db:	JVNDB	id:	JVNDB-2026-005975
db:	NVD	id:	CVE-2026-24101

LAST UPDATE DATE

2026-03-07T23:36:37.208000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-005975	date:	2026-03-05T02:51:00
db:	NVD	id:	CVE-2026-24101	date:	2026-03-03T19:44:19.120

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-005975	date:	2026-03-05T00:00:00
db:	NVD	id:	CVE-2026-24101	date:	2026-03-02T16:16:24.407