CVE-2026-25857 HIGH

CVE-2026-25857: Tenda G300-F Command Injection via formSetWanDiag

Vendor Shenzhen Tenda Technology

Product Tenda G300-F

Weakness CWE-78

Published February 7, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Key dates

02Disclosure timeline

February 7, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25857

Related vulnerabilities

CVE-2026-25857: Tenda G300-F Command Injection via formSetWanDiag

01Description

02Disclosure timeline

03References

04Related CVE