CVE-2026-24434

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

5.1MEDIUM

EPSS

0.0%

top 99.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shenzhen Tenda Technology Co., Ltd. Tenda AC7 Tenda AC7 Firmware

Timeline

PublishedFeb 3

Description

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDtenda/ac7_firmware03.03.03.01

▶CVEListV5shenzhen_tenda_technology_co.,_ltd./tenda_ac703.03.03.01_cn

🔴Vulnerability Details

GHSA

GHSA-rmf8-4fg8-5v47: Shenzhen Tenda AC7 firmware version V03↗2026-02-03

▶

CVEList

Tenda AC7 Web Interface Lacks CSRF Protections for Admin Actions↗2026-02-03

▶