Login Sign Up

CVE-2026-24433

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting vulnerability in Tenda W30E V2 routers allows attackers to inject malicious scripts into user creation fields. When administrative users view affected management pages, the scripts execute in their browser context, potentially compromising router administration. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • Shenzhen Tenda W30E V2
Versions: V16.01.0.19(5037) and earlier
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default web management interface. Requires attacker access to create users or modify existing user names.

📦 What is this software?

W30e Firmware by Tenda

View all CVEs affecting W30e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of router, modifies network settings, intercepts traffic, or installs persistent malware on the device.

🟠

Likely Case

Attacker steals administrative credentials, modifies DNS settings to redirect users to malicious sites, or performs session hijacking.

🟢

If Mitigated

Script execution is contained within admin interface with limited impact due to router's isolated nature and lack of sensitive data storage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to create or modify user accounts. Public proof-of-concept demonstrates injection via user name field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for W30E V2. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router admin interface

Restrict Admin Access

all

Limit admin interface access to trusted IP addresses only

🧯 If You Can't Patch

  • Isolate router management interface on separate VLAN
  • Implement strict input validation at network perimeter

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status > Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than V16.01.0.19(5037) and test user creation with script payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual user creation/modification events
  • Admin interface access from unexpected IPs
  • HTTP requests containing script tags in user-related parameters

Network Indicators:

  • Multiple failed login attempts to admin interface
  • Unusual outbound connections from router after admin access

SIEM Query:

source="router.log" AND (event="user_create" OR event="user_modify") AND (message="*<script*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2026-24433
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.01% exploit probability (0.9th percentile)
Published: January 26, 2026
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24433, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)