CVE-2026-25857 - Tenda G300-F Command Injection via formSetWanDiag

CVE ID : CVE-2026-25857 Published : Feb. 7, 2026, 10:16 p.m. | 1 hour, 6 minutes ago Description : Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...