CVE-2026-24433Cross-site Scripting in Tenda Technology CO LTD W30e V2

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 97.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Shenzhen Tenda Technology CO LTD W30e V2Tenda W30e Firmware
Timeline
PublishedJan 26

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

NVDtenda/w30e_firmware16.01.0.19\(5037\)
CVEListV5shenzhen_tenda_technology_co_ltd/w30e_v216.01.0.19(5037)

🔴Vulnerability Details

2
CVEList
Tenda W30E V2 Stored XSS via Username Field2026-01-26
GHSA
GHSA-4pfw-2gcp-q7h8: Shenzhen Tenda W30E V2 firmware versions up to and including V162026-01-26