CVE-2026-5036 is a stack-based buffer overflow (CVSS 8.8) in Tenda 4G06 firmware version 04.06.01.29, exploitable by unauthenticated remote attackers via the /goform/DhcpListClient endpoint with a public exploit available; EPSS is at the 13th percentile indicating low observed exploitation in the wild at time of publication. Organizations should identify all Tenda 4G06 devices in their environment, restrict or block access to the management interface and /goform/ endpoints, and monitor the Tenda support portal for firmware updates. No vendor patch has been confirmed in available source data.