How is CVE-2026-36811 exploited?

Network reachability (required): The vulnerable HTTP endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the device to trigger the overflow. Authentication (not-required): No credentials or session token are needed; any unauthenticated request carrying the malformed picName parameter is sufficient to trigger the vulnerability. Victim interaction (not-required): No user action is required; the attacker sends a crafted HTTP request directly to the device without any involvement from a logged-in user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access to the device.

What is the impact of CVE-2026-36811?

Crashes the affected Tenda W15E device, taking it offline and disrupting all network traffic it handles. Persistent or repeated exploitation can keep the device in a denial-of-service state, blocking connectivity for all users routed through it. No confidentiality or data-integrity impact is indicated; the attacker cannot read or modify stored data through this vulnerability.

Back to search

HIGHCVE-2026-36811Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-36811: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picName parameter of the formDelwebAuthPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in Tenda W15E firmware (v15.11.0.10) affects the picName parameter of the formDelwebAuthPic function. The vulnerability is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from the internet. Successful exploitation crashes the affected device, causing a denial of service. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream vendor publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-36811 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Tenda W15E firmware components or related packages.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting is applied to determine breach of thresholds and priority routing. Triage alerts are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by the vendor for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. Customers with auto-remediation enabled will automatically receive the rebuild, a regression-test run, and a PR opened against affected workloads at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable HTTP endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the device to trigger the overflow.
AuthenticationNot required
No credentials or session token are needed; any unauthenticated request carrying the malformed picName parameter is sufficient to trigger the vulnerability.
Victim interactionNot required
No user action is required; the attacker sends a crafted HTTP request directly to the device without any involvement from a logged-in user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access to the device.

Blast Radius

Crashes the affected Tenda W15E device, taking it offline and disrupting all network traffic it handles.
Persistent or repeated exploitation can keep the device in a denial-of-service state, blocking connectivity for all users routed through it.
No confidentiality or data-integrity impact is indicated; the attacker cannot read or modify stored data through this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: as no upstream fix exists at this time, HarborGuard continuously monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment the vendor ships a corrective firmware release. In the interim, customers are advised to apply compensating controls such as network-policy isolation to restrict HTTP management interface access to trusted subnets only, egress filtering to limit exposure of the device management plane, and feature-flag or ACL gating on the formDelwebAuthPic endpoint where firmware configuration permits. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without manual intervention once a fix version is published.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com

Metrics

Get notified