{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38835", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:35:41.189Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:59:46.480Z"}, "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:52:32.919545Z", "id": "CVE-2026-38835", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:35:41.189Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-38835", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:52:32.919545Z"}}}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:53:02.279Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:59:46.480Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38835", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:35:41.189Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request."}], "id": "CVE-2026-38835", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T17:16:53.357", "references": [{"source": "cve@mitre.org", "url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/jsjbcyber/repo/blob/main/rep_2.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,16.01.0.21]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "w30e", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-04-21T23:10:46.866593+00:00", "value": {"mitigation_remediation": ["Apply the latest Tenda W30E firmware that resolves the command injection issue", "Restrict network access to the router\u2019s management interface and disable anonymous or local user access", "If a patch is unavailable, consider disabling the USB port or preventing the formSetUSBPartitionUmount endpoint from processing the usbPartitionName parameter", "Monitor router logs for unusual usbPartitionName activity and investigate any anomalies"], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution from crafted usbPartitionName input"}, "threat_synthesis": {"affected_systems": "The vulnerability affects devices running Tenda W30E firmware version V2.0 V16.01.0.21. No other vendors or product versions are listed as affected.", "description_and_impact": "Command injection is present in the formSetUSBPartitionUmount function of Tenda W30E firmware; a crafted usbPartitionName value can be used to inject and execute arbitrary commands on the device. This flaw enables attackers with network access to the router\u2019s management interface to run commands with the privileges of the device, potentially compromising the entire network or allowing further lateral movement.", "risk_and_exploitability": "The CVSS score is not published, but the capability to execute arbitrary commands suggests a high severity rating. EPSS data is not available and the flaw is not currently listed in CISA KEV, indicating no confirmed exploits yet. Attackers would need to reach the router\u2019s web interface, likely from a local network or through compromised credentials, to exploit the flaw. No official patch or workaround has been released at this time."}}}}, "created": "2026-04-21T18:30:27.392593+00:00", "title": "Command Injection Vulnerability in Tenda W30E via formSetUSBPartitionUmount", "updated": "2026-04-21T23:15:03.124659+00:00", "vendors": ["tenda", "tenda$PRODUCT$w30e"], "weaknesses": ["CWE-77", "CWE-78"]}