Cyber Posture

CVE-2026-5841

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 17.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5841 is a high-severity Path Traversal (CWE-22) vulnerability in Tenda I3 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Requires timely identification, reporting, and correction of the path traversal flaw in the R7WebsSecurityHandler function of the Tenda i3 firmware.

SI-10 Information Input Validation good match
prevent

Mandates validation of HTTP handler inputs to block path traversal sequences like '../' that enable access outside intended directories.

AC-3 Access Enforcement partial match
prevent

Enforces logical access controls to restrict unauthorized reading or modification of restricted files despite path traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal in the unauthenticated HTTP Handler (R7WebsSecurityHandler) of a public-facing router web interface directly enables remote exploitation of the application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in Tenda i3 1.0.0.6(2204). The affected element is the function R7WebsSecurityHandler of the component HTTP Handler. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit has been made…

more

available to the public and could be used for attacks.

Deeper analysisAI

CVE-2026-5841 is a path traversal vulnerability (CWE-22) affecting the Tenda i3 router on firmware version 1.0.0.6(2204). The flaw exists in the R7WebsSecurityHandler function of the HTTP Handler component, where manipulated inputs allow traversal outside intended directories.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), enabling remote exploitation without authentication, privileges, or user interaction. Attackers can execute the manipulation over the network to achieve low-level impacts on confidentiality, integrity, and availability, such as reading or modifying restricted files.

Advisories reference a public exploit on GitHub targeting R7WebsSecurityHandler authentication bypass issues in the affected firmware, along with VulDB entries detailing the vulnerability and CTI. The Tenda vendor website is listed, but no specific patches or mitigations are outlined in the available references.

Details

CWE(s)
CWE-22

Affected Products

tenda
i3 firmware
1.0.0.6\(2204\)

CVEs Like This One

CVE-2026-3803Same product: Tenda I3
CVE-2026-3971Same product: Tenda I3
CVE-2026-3802Same product: Tenda I3
CVE-2026-3804Same product: Tenda I3
CVE-2026-3970Same product: Tenda I3
CVE-2026-3799Same product: Tenda I3
CVE-2026-3801Same product: Tenda I3
CVE-2026-5962Same vendor: Tenda
CVE-2026-7036Same vendor: Tenda
CVE-2026-5849Same vendor: Tenda

References