CVE-2026-7036

HighPublic PoC

Published: 26 April 2026

Published

26 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0024 46.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be…

used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal exploitation by validating inputs to the R7WebsSecurityHandlerfunction in the HTTP Handler, blocking malicious path manipulations.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation such as firmware patching for Tenda i9 1.0.0.5(2204), eliminating the root cause of the vulnerability.

SC-7 Boundary Protection partial match

prevent

Boundary protection mechanisms like web application firewalls can inspect and block path traversal attempts in unauthenticated remote HTTP requests to the affected component.

Security SummaryAI

CVE-2026-7036 is a path traversal vulnerability (CWE-22) in Tenda i9 firmware version 1.0.0.5(2204). It affects the R7WebsSecurityHandlerfunction within the HTTP Handler component. Published on 2026-04-26, the issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), reflecting its network-based exploitability without authentication or user interaction.

Remote attackers can exploit this vulnerability over the network with no privileges required. By manipulating inputs to the HTTP Handler, they can traverse paths to access unintended files, achieving limited impacts on confidentiality (C:L), integrity (I:L), and availability (A:L).

Advisories and details are documented on VulDB (https://vuldb.com/vuln/359616, https://vuldb.com/vuln/359616/cti, https://vuldb.com/submit/798479), a GitHub repository (https://github.com/Litengzheng/vuldb_new/blob/main/M3/vul_80/README.md), and the Tenda vendor site (https://www.tenda.com.cn/). Security practitioners should consult these for any recommended patches or mitigations.

The exploit is publicly available, raising concerns for potential active use against unpatched Tenda i9 devices.

Details

CWE(s): CWE-22

Affected Products

tenda

i9 firmware

1.0.0.5\(2204\)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability (CWE-22) in the public-facing HTTP handler of Tenda i9 router firmware enables remote unauthenticated exploitation of a public-facing application to access unintended files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/M3/vul_80/README.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/798479
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359616
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359616/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com