Tenda W20E Firmware vulnerabilities

CVE-2026-24115 [CRITICAL] CWE-120 CVE-2026-24115: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the sizes of `gstup` an An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the sizes of `gstup` and `gstdwn` before concatenating them into `gstruleQos` may lead to buffer overflow.

CVE-2026-24107 [CRITICAL] CWE-94 CVE-2026-24107: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the value of `usbPartit An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the value of `usbPartitionName`, which is directly used in `doSystemCmd`, may lead to critical command injection vulnerabilities.

CVE-2026-24112 [CRITICAL] CWE-120 CVE-2026-24112: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by specifying the value of `userInfo`. When `userInfo` is passed into the `addWewifiWhiteUser` function and processed by `sscanf` without size validation, it could lead to a buffer overflow vulnerability.

CVE-2026-24109 [CRITICAL] CWE-120 CVE-2026-24109: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `picName`. When this value is used in `sprintf` without validating variable sizes, it could lead to a buffer overflow vulnerability.

CVE-2026-24110 [CRITICAL] CWE-120 CVE-2026-24110: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may send overly long `addDhcpRule An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may send overly long `addDhcpRules` data. When these rules enter the `addDhcpRule` function and are processed by `ret = sscanf(pRule, " %d\t%[^\t]\t%[^\n\r\t]", &dhcpsIndex, dhcpsIP, dhcpsMac);`, the lack of size validation for the rules could lead to buffer overflows in `dhcpsInde

CVE-2026-24113 [CRITICAL] CWE-120 CVE-2026-24113: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `nptr`. When this value is passed into the `getMibPrefix` function and concatenated using `sprintf` without proper size validation, it could lead to a buffer overflow vulnerability.

CVE-2026-24114 [CRITICAL] CWE-120 CVE-2026-24114: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate `pPortMapIndex` may lea An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate `pPortMapIndex` may lead to buffer overflows when using `strcpy`.

CVE-2026-24111 [CRITICAL] CWE-120 CVE-2026-24111: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by specifying the value of `userInfo`. When `userInfo` is passed into the `addAuthUser` function and processed by `sscanf` without size validation, it could lead to buffer overflow.

CVE-2026-24108 [CRITICAL] CWE-120 CVE-2026-24108: An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `nptr`. When this value is passed into the `getMibPrefix` function and concatenated using `sprintf` without proper size validation, it could lead to a buffer overflow vulnerability.

CVE-2025-44867 [MEDIUM] CWE-77 CVE-2025-44867: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckT Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2025-44864 [MEDIUM] CWE-77 CVE-2025-44864: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the module parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2025-44865 [MEDIUM] CWE-77 CVE-2025-44865: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the enable parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2025-44866 [MEDIUM] CWE-77 CVE-2025-44866: Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the level parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2024-3874 [HIGH] CWE-121 CVE-2024-3874: A vulnerability was found in Tenda W20E 15.11.0.6. It has been declared as critical. This vulnerabil A vulnerability was found in Tenda W20E 15.11.0.6. It has been declared as critical. This vulnerability affects the function formSetRemoteWebManage of the file /goform/SetRemoteWebManage. The manipulation of the argument remoteIP leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and

CVE-2023-26805 [CRITICAL] CWE-787 CVE-2023-26805: Tenda W20E v15.11.0.6 (US_W20EV4.0br_v15.11.0.6(1068_1546_841)_CN_TDC) is vulnerable to Buffer Overf Tenda W20E v15.11.0.6 (US_W20EV4.0br_v15.11.0.6(1068_1546_841)_CN_TDC) is vulnerable to Buffer Overflow via function formIPMacBindModify.

CVE-2023-26806 [CRITICAL] CWE-787 CVE-2023-26806: Tenda W20E v15.11.0.6(US_W20EV4.0br_v15.11.0.6(1068_1546_841 is vulnerable to Buffer Overflow via fu Tenda W20E v15.11.0.6(US_W20EV4.0br_v15.11.0.6(1068_1546_841 is vulnerable to Buffer Overflow via function formSetSysTime,

CVE-2022-48130 [CRITICAL] CWE-787 CVE-2022-48130: Tenda W20E v15.11.0.6 was discovered to contain multiple stack overflows in the function formSetStat Tenda W20E v15.11.0.6 was discovered to contain multiple stack overflows in the function formSetStaticRoute via the parameters staticRouteNet, staticRouteMask, staticRouteGateway, staticRouteWAN.

CVE-2022-45996 [HIGH] CWE-78 CVE-2022-45996: Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output. Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output.

CVE-2022-45997 [HIGH] CWE-120 CVE-2022-45997: Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow. Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

CVE-2022-40855 [CRITICAL] CWE-787 CVE-2022-40855: Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post request 'goform/setPortMapping/'. This vulnerability allows attackers to cause a Denial of Service (DoS) or Remote Code Execution (RCE) via the portMappingServer, portMappingProtocol, portMappingWan, porMappingtInternal, and portMappingExternal param