CVE-2026-7119
Published: 27 April 2026
Summary
CVE-2026-7119 is a high-severity Command Injection (CWE-77) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability identified as CVE-2026-7119 affects Tenda HG3 2.0 firmware and resides in an unspecified function within the /boaform/formCountrystr endpoint. The flaw stems from improper handling of the countrystr parameter, enabling operating system command injection as classified under CWE-77 and CWE-78. The issue is remotely reachable and carries a CVSS 4.0 score of 7.4 reflecting network attack vector, low complexity, and low-privilege requirements with high impact on confidentiality, integrity, and availability.
An attacker with authenticated remote access can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Publicly available exploit code increases the likelihood of successful attacks that could lead to full device compromise without user interaction.
Reference sources consist primarily of vulnerability database entries and a vendor homepage link, with no explicit patch details or mitigation guidance provided in the available records. The associated EPSS score remains flat at 0.0120 with no material increase observed since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25834
Vulnerability details
A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is…
more
now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing router web interface (T1190) for arbitrary OS command injection, facilitating Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the countrystr input parameter to block the OS command injection vector in /boaform/formCountrystr.
Limits privileges of the web process handling formCountrystr so injected commands cannot achieve full device compromise.
Enables monitoring of command execution and anomalous behavior on the Tenda HG3 resulting from successful exploitation of the public CVE-2026-7119 payload.