Cyber Resilience

CVE-2026-5841

MediumPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5841 is a medium-severity Path Traversal (CWE-22) vulnerability in Tenda I3 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5841 is a path traversal vulnerability (CWE-22) affecting the Tenda i3 router on firmware version 1.0.0.6(2204). The flaw exists in the R7WebsSecurityHandler function of the HTTP Handler component, where manipulated inputs allow traversal outside intended directories.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), enabling remote exploitation without authentication, privileges, or user interaction. Attackers can execute the manipulation over the network to achieve low-level impacts on confidentiality, integrity, and availability, such as reading or modifying restricted files.

Advisories reference a public exploit on GitHub targeting R7WebsSecurityHandler authentication bypass issues in the affected firmware, along with VulDB entries detailing the vulnerability and CTI. The Tenda vendor website is listed, but no specific patches or mitigations are outlined in the available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Tenda i3 1.0.0.6(2204). The affected element is the function R7WebsSecurityHandler of the component HTTP Handler. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit has been made…

more

available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in the unauthenticated HTTP Handler (R7WebsSecurityHandler) of a public-facing router web interface directly enables remote exploitation of the application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3803Same product: Tenda I3
CVE-2026-3970Same product: Tenda I3
CVE-2026-3804Same product: Tenda I3
CVE-2026-3799Same product: Tenda I3
CVE-2026-3802Same product: Tenda I3
CVE-2026-3971Same product: Tenda I3
CVE-2026-3801Same product: Tenda I3
CVE-2026-5962Same vendor: Tenda
CVE-2026-7036Same vendor: Tenda
CVE-2026-5849Same vendor: Tenda

Affected Assets

tenda
i3 firmware
1.0.0.6\(2204\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, and correction of the path traversal flaw in the R7WebsSecurityHandler function of the Tenda i3 firmware.

prevent

Mandates validation of HTTP handler inputs to block path traversal sequences like '../' that enable access outside intended directories.

prevent

Enforces logical access controls to restrict unauthorized reading or modification of restricted files despite path traversal attempts.

References