CVE-2025-5862
published 2025-06-09CVE-2025-5862: A vulnerability was found in Tenda AC7 15.03.06.44 and classified as critical. This issue affects the function formSetPPTPUserList of the file…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.80%
52.0th percentile
A vulnerability was found in Tenda AC7 15.03.06.44 and classified as critical. This issue affects the function formSetPPTPUserList of the file /goform/setPptpUserList. The manipulation of the argument list leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeigniter4 | framework | 0 – 4.6.2 | — |
| chrome_chrome | — | — | |
| tenda | ac7 | — | — |
| tenda | ac7_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
ghsa·2025-07-25
CVE-2025-45406 [MEDIUM] CWE-79 Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
### Withdrawn Advisory
This advisory has been withdrawn because the original report was found to be invalid. This link is maintained to preserve external references. For more information, see https://github.com/github/advisory-database/pull/5862.
### Original Description
A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter.
GHSA
GHSA-6vfc-8w2v-vx36: A vulnerability was found in Tenda AC7 15
ghsa_unreviewed·2025-06-09
CVE-2025-5862 [HIGH] CWE-119 GHSA-6vfc-8w2v-vx36: A vulnerability was found in Tenda AC7 15
A vulnerability was found in Tenda AC7 15.03.06.44 and classified as critical. This issue affects the function formSetPPTPUserList of the file /goform/setPptpUserList. The manipulation of the argument list leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Chrome
Stable Channel Update for Desktop: CVE-2026-5861
vendor_chrome·2026-04-07·CVSS 8.8
CVE-2026-5861 [HIGH] Stable Channel Update for Desktop: CVE-2026-5861
Stable Channel Update for Desktop
CVE-2026-5861: Use after free in V8. Reported by 5shain on 2026-02-23 [TBD][ 470566252 ] High CVE-2026-5862: Inappropriate implementation in V8
Reported by Google on 2025-12-21 [TBD][ 484527367 ] High CVE-2026-5863: Inappropriate implementation in V8
Severity: high
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lavender-bicycle-a5a.notion.site/Tenda-AC7-formSetPPTPUserList-20a53a41781f806ca124cbdf99bff931?source=copy_linkhttps://vuldb.com/?ctiid.311621https://vuldb.com/?id.311621https://vuldb.com/?submit.591980https://www.tenda.com.cn/https://lavender-bicycle-a5a.notion.site/Tenda-AC7-formSetPPTPUserList-20a53a41781f806ca124cbdf99bff931
2025-06-09
Published