Publicly Exploitable Stack Overflows Disclosed in Tenda F453 and F451 Routers
Two high-severity vulnerabilities have been disclosed in Tenda routers, both enabling remote stack-based buffer overflows through exposed /goform/ endpoints. CVE-2026-4551 affects the Tenda F453 running version 1.0.0.3, where the fromSafeClientFilter function in the /goform/SafeClientFilter handler can be exploited by manipulating the menufacturer/Go argument. CVE-2026-5990 affects the Tenda F451 running version 1.0.0.7, where the fromSafeEmailFilter function in the /goform/SafeEmailFilter component can be triggered via the page argument.
Both flaws are classified under CWE-119 and CWE-121 and are described as remotely exploitable with public exploit information available, raising the risk of active abuse against exposed devices. The CVE records assign high impact across confidentiality, integrity, and availability in published CVSS scoring, indicating that successful exploitation could give attackers a powerful path to compromise vulnerable edge networking equipment.
Timeline
Apr 12, 2026
CVE-2026-6133 published for Tenda F451 SafeUrlFilter overflow
A new CVE entry disclosed a remotely exploitable stack-based buffer overflow in Tenda F451 firmware version 1.0.0.7_cn_svn7958. The flaw affects the fromSafeUrlFilter function in the /goform/SafeUrlFilter endpoint, and the record states that a public exploit is available.
Apr 12, 2026
CVE-2026-6124 published for Tenda F451 SafeMacFilter overflow
A new CVE entry disclosed a remotely exploitable stack-based buffer overflow in Tenda F451 firmware version 1.0.0.7. The flaw affects the fromSafeMacFilter function in the /goform/SafeMacFilter endpoint, and public exploit disclosure was noted.
Apr 12, 2026
CVE-2026-6123 published for Tenda F451 addressNat overflow
A new CVE entry disclosed a remotely exploitable stack-based buffer overflow in Tenda F451 firmware version 1.0.0.7. The flaw affects the fromAddressNat function in the /goform/addressNat endpoint, and public exploit availability was noted.
Apr 10, 2026
CVE-2026-5990 published for Tenda F451 stack overflow
A new CVE entry disclosed a remotely exploitable stack-based buffer overflow in Tenda F451 firmware version 1.0.0.7. The flaw affects the fromSafeEmailFilter function in the /goform/SafeEmailFilter component, and the exploit was reported as publicly disclosed.
Mar 22, 2026
CVE-2026-4551 published for Tenda F453 stack overflow
A new CVE entry disclosed a remotely exploitable stack-based buffer overflow in Tenda F453 version 1.0.0.3. The flaw affects the fromSafeClientFilter function in the /goform/SafeClientFilter endpoint, and public exploit information was noted as available.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Publicly Exploitable Buffer Overflows Disclosed in Tenda FH451 and F453 Routers
Two high-severity vulnerabilities have been disclosed in Tenda router firmware, affecting **FH451 1.0.0.9** and **F453 1.0.0.3**. The flaws are tracked as `CVE-2026-4534` and `CVE-2026-4552` and both involve remotely reachable stack-based buffer overflows in web management handlers. In the FH451 case, the issue is in the `formWrlExtraSet` function exposed through the `/goform/WrlExtraSet` component, where manipulation of the `GO` argument can trigger memory corruption. In the F453 case, the vulnerable code is the `fromVirtualSer` function behind the `/goform/VirtualSer` endpoint, where the `page` argument can be abused to cause a similar overflow. Both CVE records indicate that **public exploits are available**, increasing the likelihood of opportunistic attacks against exposed devices. The disclosures map the weaknesses to `CWE-119` and `CWE-121`, reflecting out-of-bounds memory handling and stack-based buffer overflow conditions, and the published scoring points to high impact on confidentiality, integrity, and availability. Organizations using these Tenda models should treat the flaws as urgent remote compromise risks, especially where router administration interfaces are internet-accessible.
1 months ago
Publicly Disclosed Stack Overflow Flaws Expose Tenda F451 Routers to Remote Attack
Two high-severity vulnerabilities, **CVE-2026-6122** and **CVE-2026-6136**, were disclosed for **Tenda F451** routers, both affecting firmware `1.0.0.7` and enabling **remote stack-based buffer overflow** attacks through the device's `httpd` web interface. The flaws reside in the `/goform/L7Prot` and `/goform/L7Im` endpoints, specifically in the `frmL7ProtForm` and `frmL7ImForm` functions, where improper handling of the `page` argument can corrupt stack memory. Both CVEs are mapped to **CWE-119** and **CWE-121**, and the disclosures indicate that **public exploit details are already available**, raising the risk of near-term exploitation against exposed devices. One advisory notes the issue requires only **low privileges** for exploitation, and both entries describe the attack path as remote, making internet-accessible or poorly segmented Tenda F451 deployments a likely target for abuse.
2 weeks ago
Multiple Remote Buffer Overflow Flaws Expose Tenda F456 Routers to Exploitation
Several high-severity vulnerabilities have been disclosed in the **Tenda F456** router running firmware `1.0.0.5`, affecting the device’s `httpd` component across multiple `/goform/` endpoints. The flaws include `CVE-2026-7053` in `frmL7ProtForm` via `/goform/L7Prot`, `CVE-2026-7055` in `fromVirtualSer` via `/goform/VirtualSer`, `CVE-2026-7056` in `fromSafeUrlFilter` via `/goform/SafeUrlFilter`, and `CVE-2026-7057` in `/goform/setcfm`. In each case, crafted input to parameters such as `page`, `menufacturer`, `Go`, `funcname`, or `funcpara1` can trigger a buffer overflow. The vulnerabilities are described as **remotely exploitable** and have been mapped to `CWE-119` and `CWE-120`, with CVSS scoring indicating high impact to confidentiality, integrity, and availability. Public exploit code has also been reported for all four issues, including references to VulDB and GitHub proof-of-concept material, raising the risk of active attacks against exposed devices. Organizations using affected Tenda F456 routers should treat the flaws as urgent exposure in internet-facing network infrastructure.
5 days ago