CVE-2026-24435

Summary

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests.

Affected Software

VendorProductVersion RangeStatus
Shenzhen Tenda Technology Co., Ltd.W30E V20 <= 16.01.0.19(5037)affected

Weaknesses

  • CWE-942: CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References