Cyber Resilience

CVE-2026-7036

MediumPublic PoC

Published: 26 April 2026

Published
26 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-7036 is a medium-severity Path Traversal (CWE-22) vulnerability in Tenda I9 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7036 is a path traversal vulnerability (CWE-22) in Tenda i9 firmware version 1.0.0.5(2204). It affects the R7WebsSecurityHandlerfunction within the HTTP Handler component. Published on 2026-04-26, the issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), reflecting its network-based exploitability without authentication or user interaction.

Remote attackers can exploit this vulnerability over the network with no privileges required. By manipulating inputs to the HTTP Handler, they can traverse paths to access unintended files, achieving limited impacts on confidentiality (C:L), integrity (I:L), and availability (A:L).

Advisories and details are documented on VulDB (https://vuldb.com/vuln/359616, https://vuldb.com/vuln/359616/cti, https://vuldb.com/submit/798479), a GitHub repository (https://github.com/Litengzheng/vuldb_new/blob/main/M3/vul_80/README.md), and the Tenda vendor site (https://www.tenda.com.cn/). Security practitioners should consult these for any recommended patches or mitigations.

The exploit is publicly available, raising concerns for potential active use against unpatched Tenda i9 devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be…

more

used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability (CWE-22) in the public-facing HTTP handler of Tenda i9 router firmware enables remote unauthenticated exploitation of a public-facing application to access unintended files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5841Same vendor: Tenda
CVE-2026-5962Same vendor: Tenda
CVE-2026-5849Same vendor: Tenda
CVE-2026-6024Same vendor: Tenda
CVE-2018-25316Same vendor: Tenda
CVE-2026-2886Same vendor: Tenda
CVE-2025-8017Same vendor: Tenda
CVE-2025-69763Same vendor: Tenda
CVE-2026-7055Same vendor: Tenda
CVE-2025-14665Same vendor: Tenda

Affected Assets

tenda
i9 firmware
1.0.0.5\(2204\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by validating inputs to the R7WebsSecurityHandlerfunction in the HTTP Handler, blocking malicious path manipulations.

prevent

Requires timely flaw remediation such as firmware patching for Tenda i9 1.0.0.5(2204), eliminating the root cause of the vulnerability.

prevent

Boundary protection mechanisms like web application firewalls can inspect and block path traversal attempts in unauthenticated remote HTTP requests to the affected component.

References