CVE-2026-11499

Publié : 8 juin 2026

Modifié : 8 juin 2026

Score CVSS

9.8

CRITICAL

Description détaillée

A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. The attack may be performed from remote.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Références et Patchs

https://github.com/ssaaaa1234/Tenda-HG10-formDOMAINBLK-stack-overflow-2 https://vuldb.com/cve/CVE-2026-11499 https://vuldb.com/submit/834888 https://vuldb.com/vuln/369119 https://vuldb.com/vuln/369119/cti https://www.tenda.com.cn/

Dernières Vulnérabilités

CVE-2026-9549

Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page.

VOIR DÉTAILS

CVE-2026-8833

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.

VOIR DÉTAILS

CVE-2026-8078

Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.

VOIR DÉTAILS