Improper Output Encoding in Tenda AC7 Firmware by Shenzhen Tenda
CVE-2026-24426

5.1MEDIUM

Key Information:

Vendor: Shenzhen Tenda Technology Co., Ltd.
Status: Tenda Ac7
Vendor: CVE Published:; 3 February 2026

🔔 Create Shenzhen Tenda Technology Co., Ltd. Vulnerability Alert

What is CVE-2026-24426?

The Tenda AC7 firmware has a significant flaw in its web management interface, specifically related to improper output encoding. This vulnerability allows user-supplied input to be reflected in HTTP responses without adequate escaping, posing a risk of arbitrary HTML or JavaScript being executed in the context of a victim's browser. This not only compromises the integrity of user interactions with the web interface but also opens avenues for potential exploitation through cross-site scripting (XSS) attacks.

Affected Version(s)

Tenda AC7 0 <= 03.03.03.01_cn

References

https://www.tendacn.com/product/AC7

product

https://www.vulncheck.com/advisories/tenda-ac7-reflected-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 22, 2026

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.

CVE-2026-24426 Data

JSON