CVE-2026-38142: An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a
An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-38142
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-381420.69% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 48% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-38142 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for An unauthenticated command
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalCVE-2026-58123: Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability t…nvd · 2026-07-09
- criticalCVE-2026-59800: 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated PO…nvd · 2026-07-07
- highGHSA-h9f9-h6gm-wc85: flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`ghsa · 2026-07-06
- highCVE-2026-14809: Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unaut…nvd · 2026-07-06
- criticalCVE-2026-58455: Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that …nvd · 2026-07-02
- criticalCVE-2026-58457: Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS comma…nvd · 2026-07-01
More from NVD Recent CVEs
- mediumCVE-2026-15475: A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element i…2026-07-12
- mediumCVE-2026-15474: A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an un…2026-07-12
- mediumCVE-2026-15473: A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects som…2026-07-12
- mediumCVE-2026-15472: A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability aff…2026-07-12
- mediumCVE-2026-15471: A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown par…2026-07-12