CVE-2026-7096 | THREATINT

Description

A security flaw has been discovered in Tenda HG3 2.0 300003070. This vulnerability affects the function formgponConf of the file /boaform/admin/formgponConf. The manipulation of the argument fmgpon_loid results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

PUBLISHED Reserved 2026-04-26 | Published 2026-04-27 | Updated 2026-04-27 | Assigner VulDB

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

HIGH: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

9.0AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Problem types

OS Command Injection

Command Injection

Product status

2.0 300003070

affected

Timeline

2026-04-26:	Advisory disclosed
2026-04-26:	VulDB entry created
2026-04-26:	VulDB entry last update

Credits

2er00ne (VulDB User) reporter

References

vuldb.com/vuln/359671 (VDB-359671 | Tenda HG3 formgponConf os command injection) vdb-entry technical-description

vuldb.com/vuln/359671/cti (VDB-359671 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/800796 (Submit #800796 | Tenda HG3 N300 Wi-Fi xPON ONT HARD_VERSION=V2.0 , Version: 300003070 Remote code execution) third-party-advisory

www.notion.so/Tenda-HG3-3250c75766a880c7b50fde0466557c5f exploit

www.tenda.com.cn/ product

cve.org (CVE-2026-7096)

nvd.nist.gov (CVE-2026-7096)

Download JSON