CVE-2026-10189

Tenda W12 httpd cgiSysTimeInfoSet stack-based overflow

CVSS 8.7 HIGHEPSS 0.5%CWE-119 CWE-121

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

31 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected products

Tenda · W12

public PoCs found — 1

cve_referencecdn2.v50to.cc/cgiSysTimeInfoSet_overflow.zipunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://cdn2.v50to.cc/cgiSysTimeInfoSet_overflow.zip https://vuldb.com/cve/CVE-2026-10189 https://vuldb.com/submit/820021 https://vuldb.com/vuln/367470 https://vuldb.com/vuln/367470/cti https://www.tenda.com.cn/