CVE-2026-8264
Command Injection in Tenda AC6 Router
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac6 | 15.03.06.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw found in the Tenda AC6 V2.0 router with firmware version 15.03.06.23. It exists in the formWifiApScan function of the /bin/httpd component, specifically when processing the parameters "wl2g.public.country" and "wl5g.public.country".
Because the input parameters are not properly sanitized, an attacker can inject arbitrary operating system commands by sending a specially crafted POST request to the /goform/WifiApScan endpoint. This allows remote execution of commands on the device.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary OS commands on the affected router without user interaction.
- Compromise of the router's integrity and control.
- Potential unauthorized access to the internal network.
- Disruption of network services or interception of network traffic.
- Use of the compromised device as a pivot point for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /goform/WifiApScan endpoint of the Tenda AC6 router and observing if command injection is possible via the wl2g.public.country or wl5g.public.country parameters.
For example, sending a POST request with the country parameter set to a command injection payload such as ";id" can help verify if the system executes arbitrary OS commands.
A sample command using curl to test this could be:
- curl -X POST http://[router_ip]/goform/WifiApScan -d "wl2g.public.country=;id"
- curl -X POST http://[router_ip]/goform/WifiApScan -d "wl5g.public.country=;id"
If the response or behavior indicates execution of the injected command (such as returning user id information), the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /goform/WifiApScan to trusted networks only, such as by using firewall rules or network segmentation.
Additionally, avoid exposing the router's management interface to the internet to prevent remote exploitation.
If possible, update the router firmware to a version where this vulnerability is patched or contact the vendor for an official fix.
As a temporary workaround, monitor and block suspicious POST requests targeting the /goform/WifiApScan endpoint with unusual parameter values.