CVE-2026-24426 identifies a cross-site scripting (XSS) vulnerability in the web management interface of Shenzhen Tenda Technology Co., Ltd.'s Tenda AC7 router firmware version V03.03.03.01_cn and earlier. The root cause is improper neutralization of user input during web page generation, specifically a failure to adequately escape or encode user-supplied data before reflecting it in HTTP responses. This flaw allows an attacker to inject arbitrary HTML or JavaScript code that executes within the security context of the victim's browser when they access the router's management interface. The vulnerability does not require authentication or privileges, making it remotely exploitable by any attacker who can trick a user into visiting a maliciously crafted URL or interacting with a manipulated web page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and limited scope impact (S:L). Although no known exploits have been reported in the wild, the vulnerability could be leveraged for session hijacking, theft of administrative credentials, or unauthorized changes to router configuration, potentially leading to broader network compromise. The affected firmware versions are specific to the Tenda AC7 model, widely used in small office and home office environments. The lack of an official patch link suggests that remediation may require vendor intervention or manual mitigation steps. The vulnerability is classified under CWE-79, a common and well-understood web application security issue.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on Tenda AC7 routers, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to hijack administrative sessions, steal credentials, or alter router settings, potentially enabling persistent network access or traffic interception. This could compromise the confidentiality and integrity of internal communications and data. Given the router's role as a gateway device, an attacker could pivot to other internal systems, increasing the risk of lateral movement and data exfiltration. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be effective. The impact is heightened in environments lacking network segmentation or where routers are directly exposed to untrusted networks. Additionally, compromised routers could be used as part of botnets or for launching further attacks, affecting organizational availability indirectly.

European organizations should immediately inventory their network infrastructure to identify the presence of Tenda AC7 routers running vulnerable firmware versions. Until an official patch is released, implement the following mitigations: restrict access to the router's web management interface by limiting it to trusted internal IP addresses and disabling remote management features; enforce strong, unique administrative passwords to reduce the risk of credential compromise; educate users about phishing and social engineering tactics to prevent interaction with malicious links; deploy network segmentation to isolate router management interfaces from general user networks; monitor network traffic for unusual activity indicative of exploitation attempts; consider using web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) to detect and block suspicious HTTP requests targeting the router interface; and regularly check for firmware updates from Shenzhen Tenda Technology and apply them promptly once available. Additionally, organizations should review router logs for signs of unauthorized access or configuration changes.