Primary

Context

Tenda AC15 Command Injection Vulnerability in goform/formSetIptv

Vulnerability

A command injection vulnerability has been identified in the Tenda AC15 router, specifically in the firmware version V15.03.05.18_multi. The issue arises within the goform/formSetIptv endpoint, where the parameter s1_1 is passed to a function without proper validation. This lack of input sanitization could allow an attacker to inject and execute arbitrary commands on the device.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/formSetIptv endpoint. Include the s1_1 parameter with a value that contains the desired command payload. The injected command will be executed on the router's system.

Added: Mar 2, 2026, 4:24 PM

Updated: Mar 2, 2026, 9:44 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

4.6

remediation

0.0

relevance

3.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

4.6

remediation

0.0

relevance

3.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda AC15 Command Injection Vulnerability in goform/formSetIptv

Vulnerability

Impact

Reproduction

Affected Products

Tenda AC15

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating