CVE-2026-27512 MEDIUM

CVE-2026-27512: Tenda F3 Reflected Script Execution via Missing nosniff Header

Vendor Shenzhen Tenda Technology Co., Ltd.
Product Tenda F3
Weakness CWE-79 · XSS
Published February 23, 2026
Last update May 25, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under affected browser behaviors, MIME sniffing may cause the response to be interpreted as active HTML, enabling script execution in the context of the administrative interface.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
May 25, 2026 Record updated