CVE-2026-22081— Cookie without HTTPOnly Flag Vulnerability in Tenda Wireless Routers
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22081
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cookie without HTTPOnly Flag Vulnerability in Tenda Wireless Routers
Source: NVD (National Vulnerability Database)
Vulnerability Description
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
没有’HttpOnly’标志的敏感Cookie
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tenda N300 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tenda N300是中国腾达(Tenda)公司的一款路由器。 Tenda N300存在安全漏洞,该漏洞源于与基于Web的管理界面关联的会话cookie缺少HTTPOnly标志,可能导致远程攻击者通过不安全的HTTP连接捕获会话cookie,从而获得未经授权的访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Tenda | 300Mbps Wireless Router F3 and N300 Easy Setup Router | F3 v3.0 Firmware V12.01.01.41 | - |
II. Public POCs for CVE-2026-22081
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22081
Please Login to view more intelligence information
Same Patch Batch · Tenda · 2026-01-09 · 4 CVEs total
| CVE-2026-22082 | Insecure Session ID Management Vulnerability in Tenda Wireless Routers | |
| CVE-2026-22080 | Insecure Transmission Vulnerability in Tenda Wireless Routers | |
| CVE-2026-22079 | Cleartext Transmission Vulnerability in Tenda Wireless Routers |
IV. Related Vulnerabilities
Same vendor: Tenda
- CVE-2026-8138
Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based - CVE-2026-7470
Tenda 4G300 SafeMacFilter sub_427C3C stack-based overflow - CVE-2026-7469
Tenda 4G300 DelFil sub_425A28 command injection - CVE-2018-25317
Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness - CVE-2018-25318
Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Cha
Same weakness: CWE-1004
- CVE-2026-42239
Budibase auth session cookies are set with httpOnly:false — - CVE-2026-0696
Session Cookies Missing HttpOnly Attribute - CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly - CVE-2025-42909
Security Misconfiguration vulnerability in SAP Cloud Applian - CVE-2025-27453
CVE-2025-27453
V. Comments for CVE-2026-22081
No comments yet