Home

Description

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under affected browser behaviors, MIME sniffing may cause the response to be interpreted as active HTML, enabling script execution in the context of the administrative interface.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-23 | Updated 2026-02-23 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CWE-116 Improper Encoding or Escaping of Output

Product status

Default status
unknown

Any version
affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

References

www.tendacn.com/product/F3 product

www.vulncheck.com/...pt-execution-via-missing-nosniff-header third-party-advisory

cve.org (CVE-2026-27512)

nvd.nist.gov (CVE-2026-27512)

Download JSON