CVE-2026-31255
CRITICAL WAF: High
CVSS 9.8
Published: 2026-04-27
CWE-77 CWE-77
A command injection vulnerability exists in Tenda AC18 V15.03.05.05_multi. The vulnerability is located in the /goform/SetSambaCfg interface, where improper handling of the guestuser parameter allows attackers to execute arbitrary system commands.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tenda | ac18_firmware | 15.03.05.05 |
References
- github.com (Exploit, Third Party Advisory)