CVE-2026-22081

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.

CVSS

No CVSS.

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Esta vulnerabilidad existe en routers inalámbricos Tenda (Router Inalámbrico de 300Mbps F3 y Router de Fácil Configuración N300) debido a la ausencia de la bandera HTTPOnly para las cookies de sesión asociadas con la interfaz administrativa basada en web. Un atacante remoto podría explotar esta vulnerabilidad al capturar cookies de sesión transmitidas a través de una conexión HTTP insegura. La explotación exitosa de esta vulnerabilidad podría permitir al atacante obtener información sensible y obtener acceso no autorizado al dispositivo objetivo.

09 Jan 2026, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-09 12:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-22081

Mitre link : CVE-2026-22081

CVE.ORG link : CVE-2026-22081

JSON object : View

Products Affected

No product.

CWE

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

{"id": "CVE-2026-22081", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-09T12:15:54.260", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004", "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-1004"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection.\n\nSuccessful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device."}, {"lang": "es", "value": "Esta vulnerabilidad existe en routers inal\u00e1mbricos Tenda (Router Inal\u00e1mbrico de 300Mbps F3 y Router de F\u00e1cil Configuraci\u00f3n N300) debido a la ausencia de la bandera HTTPOnly para las cookies de sesi\u00f3n asociadas con la interfaz administrativa basada en web. Un atacante remoto podr\u00eda explotar esta vulnerabilidad al capturar cookies de sesi\u00f3n transmitidas a trav\u00e9s de una conexi\u00f3n HTTP insegura.\n\nLa explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante obtener informaci\u00f3n sensible y obtener acceso no autorizado al dispositivo objetivo."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "vdisclose@cert-in.org.in"}