CVE-2026-36798
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain multiple stack overflows in the formSetDebugCfgr function via the enable, level, and module parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36798
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
tenda tenda_g0 15.11.0.5
tenda g0 15.11.0.5
tenda g0 From 15.11.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-36798 vulnerability affects Tenda G0 routers running version V15.11.0.5. It involves improper handling of user-controlled HTTP parameters named enable, level, and module in the formPortalAuth function. These parameters are retrieved and then used unsafely in a command constructed with sprintf and executed via system(), which allows an attacker to execute arbitrary code on the device.

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the formPortalAuth CGI endpoint with malicious values for these parameters, potentially causing denial of service or arbitrary code execution.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your Tenda G0 router, leading to process crashes or device instability.

More severely, it can allow arbitrary code execution, meaning an attacker could run malicious commands on your device, potentially taking control of it or using it as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests sent to the `formPortalAuth` CGI endpoint on Tenda G0 routers running version V15.11.0.5. Specifically, look for HTTP requests containing the parameters `enable`, `level`, or `module` with unusual or malicious values such as command injection patterns (e.g., values containing shell commands like `1;telnet 127.0.0.1 80;`).

You can use network monitoring tools or command-line utilities like curl or tcpdump to detect such requests. For example, using curl to test the endpoint with suspicious parameters:

  • curl -v "http://<router-ip>/formPortalAuth?enable=1;telnet 127.0.0.1 80;"
  • tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'formPortalAuth'

Additionally, inspecting router logs for crashes or instability around the time of such requests can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable `formPortalAuth` CGI endpoint by limiting HTTP access to trusted networks or IP addresses.

Disable remote management features on the Tenda G0 router if not required, to reduce exposure.

Monitor and block suspicious HTTP requests containing suspicious parameters such as `enable`, `level`, or `module` with unusual values.

If available, update the router firmware to a version that patches this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart