Cyber Resilience

CVE-2026-8263

LowPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0455 90.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-8263 is a low-severity Command Injection (CWE-77) vulnerability in Tenda Ac10U Firmware. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate…

more

the attack remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote OS command injection in public httpd web interface directly enables exploitation of the exposed application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15218Same product: Tenda Ac10U
CVE-2025-15215Same product: Tenda Ac10U
CVE-2026-8259Same vendor: Tenda
CVE-2026-4253Same vendor: Tenda
CVE-2026-8265Same vendor: Tenda
CVE-2026-7119Same vendor: Tenda
CVE-2026-5547Same vendor: Tenda
CVE-2026-7096Same vendor: Tenda
CVE-2026-8264Same vendor: Tenda
CVE-2026-25857Same vendor: Tenda

Affected Assets

tenda
ac10u firmware
15.03.06.49_multi_tde01

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References