Multiple Remote Buffer Overflow Flaws Expose Tenda F456 Routers to Exploitation
Several high-severity vulnerabilities have been disclosed in the Tenda F456 router running firmware 1.0.0.5, affecting the device’s httpd component across multiple /goform/ endpoints. The flaws include CVE-2026-7053 in frmL7ProtForm via /goform/L7Prot, CVE-2026-7055 in fromVirtualSer via /goform/VirtualSer, CVE-2026-7056 in fromSafeUrlFilter via /goform/SafeUrlFilter, and CVE-2026-7057 in /goform/setcfm. In each case, crafted input to parameters such as page, menufacturer, Go, funcname, or funcpara1 can trigger a buffer overflow.
The vulnerabilities are described as remotely exploitable and have been mapped to CWE-119 and CWE-120, with CVSS scoring indicating high impact to confidentiality, integrity, and availability. Public exploit code has also been reported for all four issues, including references to VulDB and GitHub proof-of-concept material, raising the risk of active attacks against exposed devices. Organizations using affected Tenda F456 routers should treat the flaws as urgent exposure in internet-facing network infrastructure.
Timeline
Apr 27, 2026
VulDB receives CVE-2026-7101 for Tenda F456 WrlclientSet overflow
On 2026-04-27, VulDB received CVE-2026-7101 for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromWrlclientSet function at /goform/WrlclientSet, and the disclosure states that a public exploit exists.
Apr 27, 2026
VulDB receives CVE-2026-7100 for Tenda F456 Natlimit overflow
On 2026-04-27, a new CVE entry was recorded for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromNatlimitof function at /goform/Natlimit, and the disclosure states that a public exploit is already available.
Apr 27, 2026
VulDB records CVE-2026-7099 for Tenda F456 QuickIndex overflow
On 2026-04-27, a new CVE entry was recorded for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's formQuickIndex function at /goform/QuickIndex via the mit_linktype argument, and the disclosure states that a public exploit is available.
Apr 27, 2026
VulDB receives CVE-2026-7097 for Tenda F456 webExcptypemanFilter overflow
On 2026-04-27, VulDB received CVE-2026-7097 for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromwebExcptypemanFilter function at /goform/webExcptypemanFilter via the page argument, and the disclosure states that public exploit code is available.
Apr 27, 2026
VulDB receives CVE-2026-7082 for Tenda F456 WrlExtraSet overflow
On 2026-04-27, VulDB received CVE-2026-7082 for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's formWrlExtraSet function at /goform/WrlExtraSet via the Go argument, and the disclosure states that an exploit is publicly available.
Apr 27, 2026
VulDB receives CVE-2026-7081 for Tenda F456 GstDhcpSetSer overflow
On 2026-04-27, VulDB received CVE-2026-7081 for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromGstDhcpSetSer function at /goform/GstDhcpSetSer via the dips argument, and the disclosure states that a public exploit exists.
Apr 27, 2026
VulDB receives CVE-2026-7080 for Tenda F456 PPTPUserSetting overflow
On 2026-04-27, a new CVE entry was recorded for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromPPTPUserSetting function at /goform/PPTPUserSetting via the delno argument, and public exploit availability was disclosed.
Apr 27, 2026
VulDB receives CVE-2026-7079 for Tenda F456 AdvSetWan overflow
On 2026-04-27, VulDB received CVE-2026-7079 for a remotely exploitable buffer overflow in Tenda F456 firmware 1.0.0.5. The flaw affects the httpd component's fromAdvSetWan function at /goform/AdvSetWan via the wanmode argument, and the disclosure states that a public exploit is available.
Apr 27, 2026
VulDB receives CVE-2026-7078 for Tenda F456 SetIpBind overflow
On 2026-04-27, VulDB received CVE-2026-7078 for a remotely exploitable buffer overflow in the Tenda F456 httpd component affecting firmware 1.0.0.5. The flaw is in the fromSetIpBind function of /goform/SetIpBind via the page argument, and the disclosure notes public exploit information is available.
Apr 26, 2026
Public exploit availability disclosed for Tenda F456 flaws
The published CVE records state that exploits for the four Tenda F456 vulnerabilities were already publicly available at disclosure time, including references to GitHub proof-of-concept material for some entries. This increased the likelihood of real-world exploitation of the affected router firmware.
Apr 26, 2026
VulDB receives four CVE reports for Tenda F456 buffer overflows
On April 26, 2026, vulnerability records were received for four distinct remotely exploitable buffer overflow flaws affecting Tenda F456 firmware 1.0.0.5 in the httpd component: CVE-2026-7053, CVE-2026-7055, CVE-2026-7056, and CVE-2026-7057. The issues affect the /goform/L7Prot, /goform/VirtualSer, /goform/SafeUrlFilter, and /goform/setcfm endpoints respectively.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
5 more from sources like cvefeed high severity
Related Stories
Publicly Disclosed Stack Overflow Flaws Expose Tenda F451 Routers to Remote Attack
Two high-severity vulnerabilities, **CVE-2026-6122** and **CVE-2026-6136**, were disclosed for **Tenda F451** routers, both affecting firmware `1.0.0.7` and enabling **remote stack-based buffer overflow** attacks through the device's `httpd` web interface. The flaws reside in the `/goform/L7Prot` and `/goform/L7Im` endpoints, specifically in the `frmL7ProtForm` and `frmL7ImForm` functions, where improper handling of the `page` argument can corrupt stack memory. Both CVEs are mapped to **CWE-119** and **CWE-121**, and the disclosures indicate that **public exploit details are already available**, raising the risk of near-term exploitation against exposed devices. One advisory notes the issue requires only **low privileges** for exploitation, and both entries describe the attack path as remote, making internet-accessible or poorly segmented Tenda F451 deployments a likely target for abuse.
2 weeks ago
Publicly Exploitable Buffer Overflows Disclosed in Tenda FH451 and F453 Routers
Two high-severity vulnerabilities have been disclosed in Tenda router firmware, affecting **FH451 1.0.0.9** and **F453 1.0.0.3**. The flaws are tracked as `CVE-2026-4534` and `CVE-2026-4552` and both involve remotely reachable stack-based buffer overflows in web management handlers. In the FH451 case, the issue is in the `formWrlExtraSet` function exposed through the `/goform/WrlExtraSet` component, where manipulation of the `GO` argument can trigger memory corruption. In the F453 case, the vulnerable code is the `fromVirtualSer` function behind the `/goform/VirtualSer` endpoint, where the `page` argument can be abused to cause a similar overflow. Both CVE records indicate that **public exploits are available**, increasing the likelihood of opportunistic attacks against exposed devices. The disclosures map the weaknesses to `CWE-119` and `CWE-121`, reflecting out-of-bounds memory handling and stack-based buffer overflow conditions, and the published scoring points to high impact on confidentiality, integrity, and availability. Organizations using these Tenda models should treat the flaws as urgent remote compromise risks, especially where router administration interfaces are internet-accessible.
1 months ago
Publicly Exploitable Stack Overflows Disclosed in Tenda F453 and F451 Routers
Two high-severity vulnerabilities have been disclosed in Tenda routers, both enabling remote stack-based buffer overflows through exposed `/goform/` endpoints. **CVE-2026-4551** affects the Tenda **F453** running version `1.0.0.3`, where the `fromSafeClientFilter` function in the `/goform/SafeClientFilter` handler can be exploited by manipulating the `menufacturer/Go` argument. **CVE-2026-5990** affects the Tenda **F451** running version `1.0.0.7`, where the `fromSafeEmailFilter` function in the `/goform/SafeEmailFilter` component can be triggered via the `page` argument. Both flaws are classified under **CWE-119** and **CWE-121** and are described as remotely exploitable with **public exploit information available**, raising the risk of active abuse against exposed devices. The CVE records assign high impact across **confidentiality, integrity, and availability** in published CVSS scoring, indicating that successful exploitation could give attackers a powerful path to compromise vulnerable edge networking equipment.
2 weeks ago