Tenda F3 Wireless Router Content-Type Confusion Vulnerability Allowing Reflected Cross-Site Scripting

Vulnerability

A content-type confusion vulnerability has been identified in the administrative interface of the Tenda F3 Wireless Router, specifically in firmware version 12.01.01.55_multi. This vulnerability arises because the response headers omit the X-Content-Type-Options: nosniff directive, allowing attacker-influenced content to be reflected into the response body. Under certain browser behaviors, this MIME sniffing can lead to the response being interpreted as active HTML, which could enable script execution within the administrative interface.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject scripts that are executed in the context of the user's session on the affected device.

Added: Feb 23, 2026, 5:43 PM

Updated: Feb 23, 2026, 6:18 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

5.4

exploitability

5.4

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

5.4

exploitability

5.4

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda F3 Wireless Router Content-Type Confusion Vulnerability Allowing Reflected Cross-Site Scripting

Vulnerability

Impact

Affected Products

Shenzhen Tenda F3

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating