CVE-2026-22081

09.01.2026, 12:15

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection.

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
CERT-In	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Common Weakness Enumeration

CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004