CVE-2026-27512
Content-Type Confusion in Tenda F3 Router Enables XSS
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | f3_firmware | to 12.01.01.55_multi (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27512 is a reflected script execution vulnerability in the Shenzhen Tenda F3 Wireless Router firmware version 12.01.01.55_multi. The administrative interface fails to include the HTTP header 'X-Content-Type-Options: nosniff', which leads to a content-type confusion vulnerability. This means that attacker-controlled input can be reflected in the response body without proper encoding or escaping. Under certain browser behaviors that perform MIME sniffing, the response may be interpreted as active HTML, allowing an attacker to execute scripts in the context of the administrative interface."}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output).'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can enable an attacker to execute malicious scripts within the administrative interface of the affected router. Because the attack requires user interaction and exploits browser MIME sniffing, it can lead to cross-site scripting (XSS) attacks that may compromise the security of the router's administrative functions."}, {'type': 'paragraph', 'content': "The impact is considered medium severity with a CVSS v4 base score of 5.1 and v3.1 base score of 6.1, indicating limited but notable risks to confidentiality and integrity. An attacker could potentially manipulate the router's administrative interface or steal sensitive information accessible through it."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the HTTP responses from the administrative interface of the Shenzhen Tenda F3 Wireless Router firmware version 12.01.01.55_multi or potentially earlier versions.
Specifically, check if the HTTP header `X-Content-Type-Options: nosniff` is missing in the responses.
You can use command-line tools like curl or wget to fetch the headers and verify the presence or absence of this header.
- curl -I http://<router-ip>/admin
- wget --server-response --spider http://<router-ip>/admin
If the `X-Content-Type-Options: nosniff` header is missing and the response body reflects attacker-controlled input without proper encoding, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the administrative interface to trusted networks or IP addresses to reduce exposure.'}, {'type': 'paragraph', 'content': "Avoid interacting with suspicious links or inputs that could be reflected in the router's administrative interface."}, {'type': 'paragraph', 'content': 'If possible, update the router firmware to a version where this vulnerability is fixed or contact the vendor for a patch.'}, {'type': 'paragraph', 'content': "As a temporary workaround, consider using network-level controls such as firewall rules to limit access to the router's admin interface."}] [1]