7.1
CVE-2026-24431 - Tenda W30E V2 Web UI Reveals Passwords in Cleartext
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials.
4.8
CVE-2026-24437 - Tenda W30E V2 Missing Cache Controls for Credential-bearing Pages
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.
9.2
CVE-2026-24436 - Tenda W30E V2 Lacks Rate Limiting on Authentication
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.
8.7
CVE-2026-24428 - Tenda W30E V2 Incorrect Authorization Allows Administrator Password Change
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attβ¦
8.2
CVE-2026-24430 - Tenda W30E V2 HTTP Responses Expose Plaintext Credentials
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposeβ¦
9.3
CVE-2026-24429 - Tenda W30E V2 Hardcoded Default Password for Built-in Account
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated acceβ¦
8.7
CVE-2026-24440 - Tenda W30E V2 Allows Password Changes Without Verifying Current Password
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained.
4.9
CVE-2026-1224 - Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
5
CVE-2026-1446 - XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier
There is a CrossβSite Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A lβ¦
7.8
CVE-2026-21509 - Microsoft Office Security Feature Bypass Vulnerability
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.