CVE-2026-25857

UNKNOWN 0.0

Tenda G300-F Command Injection via formSetWanDiag

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

CWE	CWE-78
Vendor	shenzhen tenda technology
Product	tenda g300-f
Published	Feb 7, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for shenzhen tenda technology tenda g300-f

Be the first to know when new unknown vulnerabilities affecting shenzhen tenda technology tenda g300-f are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Shenzhen Tenda Technology / Tenda G300-F

0 ≤ 16.01.14.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

blog.evan.lat: https://blog.evan.lat/blog/cve-2026-25857/ tendacn.com: https://www.tendacn.com/material/show/736333682028613 vulncheck.com: https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

Credits

evan