HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-36813Published Modified CNA mitre

CVE-2026-36813: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A buffer overflow vulnerability affects the Tenda W15E router (firmware v15.11.0.10), specifically in the picCropName parameter of the formCropAndSetWewifiPic function. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation crashes the affected device, causing a denial-of-service condition. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-36813 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Tenda W15E firmware or related components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each customer org's compliance policy, then routing findings to the appropriate team inbox based on severity thresholds and asset classification.

Available
Patch

No fix version has been published for this CVE. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the vendor.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable function is exposed over the network; an attacker must be able to send an HTTP request to the device to trigger the overflow.

  • AuthenticationNot required

    No credentials or session token are needed; the endpoint is reachable without authentication.

  • Victim interactionNot required

    The attack is fully remote and automated; no user on the target device needs to take any action.

  • Attack complexityDetail

    Exploit reliability is high and no special environmental conditions, race conditions, or memory layout assumptions are required.

Blast Radius

  • Crashes the Tenda W15E device, taking the router offline and cutting off all network connectivity for downstream hosts.
  • Repeated crafted HTTP requests can sustain the denial-of-service condition, preventing the device from recovering without a manual reboot.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer registries and pipeline images within minutes of publication. Because no upstream fix exists, HarborGuard monitors the vendor advisory on each ingest cycle and will surface a patched-image rebuild automatically once a fix version is released. In the meantime, customers can apply compensating controls through network policy: isolate the management interface behind a dedicated VLAN or firewall rule, restrict inbound HTTP access to trusted management hosts only, and consider egress filtering to limit the attack surface. When the vendor ships a patch, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads without manual intervention.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References