CVE-2026-38835

· NIST NVD ↗

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CRITICAL
CVSS severity
9.8
CVSS base score
2026-04-21
Published

CWE codes

CWE-77

Affected products

tenda:w30e_firmwaretenda:w30e

Sources