Publicly Exploitable Buffer Overflows Disclosed in Tenda FH451 and F453 Routers
Two high-severity vulnerabilities have been disclosed in Tenda router firmware, affecting FH451 1.0.0.9 and F453 1.0.0.3. The flaws are tracked as CVE-2026-4534 and CVE-2026-4552 and both involve remotely reachable stack-based buffer overflows in web management handlers. In the FH451 case, the issue is in the formWrlExtraSet function exposed through the /goform/WrlExtraSet component, where manipulation of the GO argument can trigger memory corruption. In the F453 case, the vulnerable code is the fromVirtualSer function behind the /goform/VirtualSer endpoint, where the page argument can be abused to cause a similar overflow.
Both CVE records indicate that public exploits are available, increasing the likelihood of opportunistic attacks against exposed devices. The disclosures map the weaknesses to CWE-119 and CWE-121, reflecting out-of-bounds memory handling and stack-based buffer overflow conditions, and the published scoring points to high impact on confidentiality, integrity, and availability. Organizations using these Tenda models should treat the flaws as urgent remote compromise risks, especially where router administration interfaces are internet-accessible.
Timeline
Mar 22, 2026
CVE-2026-4552 recorded for Tenda F453 memory corruption flaw
A CVE entry was published for a remotely exploitable stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3. The issue affects the fromVirtualSer function in the /goform/VirtualSer endpoint via the page argument, and the disclosure states that a public exploit is available.
Mar 22, 2026
CVE-2026-4534 recorded for Tenda FH451 stack overflow
A CVE entry was published for a remotely exploitable stack-based buffer overflow in Tenda FH451 version 1.0.0.9. The flaw affects the formWrlExtraSet function in /goform/WrlExtraSet via manipulation of the GO argument, and the disclosure notes a public exploit is available.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Stack-Based Overflows in Tenda FH451 and FH1201 Routers Expose Remote Attack Path
Two high-severity vulnerabilities have been disclosed in Tenda router firmware, affecting **FH451 `1.0.0.9`** and **FH1201 `1.2.0.14(408)`**. The flaws, tracked as **`CVE-2026-4535`** and **`CVE-2026-5045`**, are stack-based buffer overflows in the `WrlclientSet` function exposed through the `/goform/WrlclientSet` endpoint. In both cases, an attacker can trigger the issue by manipulating the `GO` argument, creating a remotely reachable attack path against the devices' web management interface. Both CVEs are classified under **`CWE-119`** and **`CWE-121`**, and published scoring indicates high impact to **confidentiality, integrity, and availability**, with some vectors rating the flaws at critical severity. Public exploit information is already available for both issues, raising the risk of real-world exploitation against unpatched internet-exposed routers and embedded deployments using the affected firmware.
1 months ago
Publicly Exploitable Stack Overflows Disclosed in Tenda F453 and F451 Routers
Two high-severity vulnerabilities have been disclosed in Tenda routers, both enabling remote stack-based buffer overflows through exposed `/goform/` endpoints. **CVE-2026-4551** affects the Tenda **F453** running version `1.0.0.3`, where the `fromSafeClientFilter` function in the `/goform/SafeClientFilter` handler can be exploited by manipulating the `menufacturer/Go` argument. **CVE-2026-5990** affects the Tenda **F451** running version `1.0.0.7`, where the `fromSafeEmailFilter` function in the `/goform/SafeEmailFilter` component can be triggered via the `page` argument. Both flaws are classified under **CWE-119** and **CWE-121** and are described as remotely exploitable with **public exploit information available**, raising the risk of active abuse against exposed devices. The CVE records assign high impact across **confidentiality, integrity, and availability** in published CVSS scoring, indicating that successful exploitation could give attackers a powerful path to compromise vulnerable edge networking equipment.
2 weeks ago
Multiple Remote Buffer Overflow Flaws Expose Tenda F456 Routers to Exploitation
Several high-severity vulnerabilities have been disclosed in the **Tenda F456** router running firmware `1.0.0.5`, affecting the device’s `httpd` component across multiple `/goform/` endpoints. The flaws include `CVE-2026-7053` in `frmL7ProtForm` via `/goform/L7Prot`, `CVE-2026-7055` in `fromVirtualSer` via `/goform/VirtualSer`, `CVE-2026-7056` in `fromSafeUrlFilter` via `/goform/SafeUrlFilter`, and `CVE-2026-7057` in `/goform/setcfm`. In each case, crafted input to parameters such as `page`, `menufacturer`, `Go`, `funcname`, or `funcpara1` can trigger a buffer overflow. The vulnerabilities are described as **remotely exploitable** and have been mapped to `CWE-119` and `CWE-120`, with CVSS scoring indicating high impact to confidentiality, integrity, and availability. Public exploit code has also been reported for all four issues, including references to VulDB and GitHub proof-of-concept material, raising the risk of active attacks against exposed devices. Organizations using affected Tenda F456 routers should treat the flaws as urgent exposure in internet-facing network infrastructure.
5 days ago