CVE-2026-38142
An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attac
CVSS
6.5
Medio
EPSS
0.7%
p48
KEV
—
Exploit Today
15
0-100
Publicado: 1 jul 2026 · Última mod.: 2 jul 2026 · CWE-77
0.7%EPSS · 30 días0.7%
2026-07-022026-07-17
An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.
- github.comhttps://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf
- github.comhttps://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-422718.8 ALT99.6%
KEV—80BerriAI LiteLLM Command Injection Vulnerability3dCVE-2023-349609.8 CRÍ99.9%
——30A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.9dCVE-2023-376799.8 CRÍ99.9%
——30A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.9dCVE-2026-80379.6 CRÍ98.6%
——30OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints4dCVE-2022-457018.8 ALT98.5%
——30Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.9dCVE-2023-337828.8 ALT98.3%
——30D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function.9d