33 matches found
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable...
CVE-2026-24437
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access...
CVE-2026-24436
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials...
CVE-2026-24435
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 implement an insecure Cross-Origin Resource Sharing CORS policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: in combination with Access-Control-Allow-Credentials: true, allowing...
CVE-2026-24440
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained...
CVE-2026-24435
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 implement an insecure Cross-Origin Resource Sharing CORS policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: in combination with Access-Control-Allow-Credentials: true, allowing...
CVE-2026-24437
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access...
CVE-2026-24437
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access...
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable...
CVE-2026-24432
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...
CVE-2026-24429
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated acce...
CVE-2026-24433
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users...
CVE-2026-24435 Tenda W30E V2 Permissive CORS Allows Cross-origin Data Access
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 implement an insecure Cross-Origin Resource Sharing CORS policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: in combination with Access-Control-Allow-Credentials: true, allowing...
CVE-2026-24439
The CVE-2026-24439 entry concerns Shenzhen Tenda W30E V2 firmware up to and including V16.01.0.19(5037) that lacks the X-Content-Type-Options: nosniff header on web management interfaces. This omission can allow browsers that perform MIME sniffing to misinterpret attacker-influenced responses as ...
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable...
CVE-2026-24432
Shenzhen Tenda W30E V2 firmware up to 16.01.0.19(5037) lacks CSRF protections on administrative endpoints, including password changes. An attacker could craft requests that, when triggered by an authenticated user’s browser, modify admin passwords and other settings. Root cause: missing CSRF prot...
CVE-2026-24433
CVE-2026-24433 affects Shenzhen Tenda W30E V2 firmware
CVE-2026-24431 Tenda W30E V2 Web UI Reveals Passwords in Cleartext
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials...
CVE-2026-24431 Tenda W30E V2 Web UI Reveals Passwords in Cleartext
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials...
CVE-2026-24436
The CVE-2026-24436 entry affects Shenzhen Tenda W30E V2 firmware and is caused by the device failing to enforce rate limiting or account lockout on authentication endpoints through V16.01.0.19(5037) and earlier. This enables unrestricted brute-force attempts against administrative credentials, im...