Details of VAR-202605-0817

ID

VAR-202605-0817

CVE

CVE-2026-8265

TITLE

Shenzhen Tenda Technology Co.,Ltd. of AC6 Multiple vulnerabilities in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-015137

DESCRIPTION

A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. All information handled by the software may be rewritten. Furthermore, the software may stop working completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-8265 // JVNDB: JVNDB-2026-015137

AFFECTED PRODUCTS

vendor:	tenda	model:	ac6	scope:	eq	version:	15.03.06.23	Trust: 1.0
vendor:	tenda	model:	ac6	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	ac6	scope:	-	version:	-	Trust: 0.8
vendor:	tenda	model:	ac6	scope:	eq	version:	ac6 firmware 15.03.06.23	Trust: 0.8

sources: JVNDB: JVNDB-2026-015137 // NVD: CVE-2026-8265

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2026-8265
value:	LOW
Trust: 1.0
nvd@nist.gov:	CVE-2026-8265
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2026-015137
value:	HIGH
Trust: 0.8

cna@vuldb.com:	CVE-2026-8265
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:L/AU:M/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2026-015137
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:L/AU:M/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

cna@vuldb.com:	CVE-2026-8265
baseSeverity:	MEDIUM
baseScore:	4.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.2
impactScore:	3.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2026-8265
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2026-015137
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-015137 // NVD: CVE-2026-8265 // NVD: CVE-2026-8265

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-78	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-015137 // NVD: CVE-2026-8265

PATCH

title:

//vuldb.com/vuln/362562

url:

https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20get_log_file%20Command%20Injection%20via%20wans.flag.md

Trust: 0.8

sources: JVNDB: JVNDB-2026-015137

EXTERNAL IDS

db:	NVD	id:	CVE-2026-8265	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-015137	Trust: 0.8

sources: JVNDB: JVNDB-2026-015137 // NVD: CVE-2026-8265

REFERENCES

url:	https://www.tenda.com.cn/	Trust: 1.8
url:	https://github.com/dxz0069/wavlink-wn530h4-command-injection-in-set_add_routing/blob/main/tenda%20ac6v2%20get_log_file%20command%20injection%20via%20wans.flag.md	Trust: 1.0
url:	https://vuldb.com/vuln/362562	Trust: 1.0
url:	https://vuldb.com/vuln/362562/cti	Trust: 1.0
url:	https://vuldb.com/submit/810076	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-8265	Trust: 0.8

sources: JVNDB: JVNDB-2026-015137 // NVD: CVE-2026-8265

SOURCES

db:	JVNDB	id:	JVNDB-2026-015137
db:	NVD	id:	CVE-2026-8265

LAST UPDATE DATE

2026-06-19T23:06:45.420000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-015137	date:	2026-05-13T01:21:00
db:	NVD	id:	CVE-2026-8265	date:	2026-05-11T17:03:22.590

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-015137	date:	2026-05-13T00:00:00
db:	NVD	id:	CVE-2026-8265	date:	2026-05-11T04:16:19.860