Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    275 vulnerabilities by TP-Link Systems INC.

    CVE-2026-9770 (GCVE-0-2026-9770)

    Vulnerability from nvd – Published: 2026-07-15 00:21 – Updated: 2026-07-15 12:38
    VLAI
    Title
    Hardcoded Cryptographic Key Information Disclosure Vulnerability on TP-Link Kasa EC70 and EC71
    Summary
    Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem that is shared across devices.  An attacker with access to the firmware image can extract the embedded key.  Successful exploitation may allow an unauthenticated attacker on the same network to use this key in the web management service, compromising the confidentiality of encrypted communications. This may enable passive decryption of traffic or active man-in-the-middle (MITM) attacks
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of hard-coded cryptographic key
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Kasa EC71 v4 Affected: 0 , < 2.4.0 Build 20260520 rel.4191 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Kasa EC70 v4 Affected: 0 , < 2.4.0 Build 20260520 rel.4191 (custom)
    Create a notification for this product.
    Credits
    Christopher Childress
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9770",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:37:44.275721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:38:03.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Kasa EC71 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.0 Build 20260520 rel.4191",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Kasa EC70 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.0 Build 20260520 rel.4191",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christopher Childress"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eKasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem\nthat is shared across devices.\u0026nbsp; An\nattacker with access to the firmware image can extract the embedded key.\u0026nbsp; \u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may allow an unauthenticated attacker on the same network to use\nthis key in the web management service, compromising the confidentiality of\nencrypted communications. This may enable passive decryption of traffic or\nactive man-in-the-middle (MITM) attacks\u003c/p\u003e"
                }
              ],
              "value": "Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem\nthat is shared across devices.\u00a0 An\nattacker with access to the firmware image can extract the embedded key.\u00a0 \n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may allow an unauthenticated attacker on the same network to use\nthis key in the web management service, compromising the confidentiality of\nencrypted communications. This may enable passive decryption of traffic or\nactive man-in-the-middle (MITM) attacks"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-474",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-474 Signature Spoofing by Key Theft"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of hard-coded cryptographic key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T00:21:06.126Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec71/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec71/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5192/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hardcoded Cryptographic Key Information Disclosure Vulnerability on TP-Link Kasa EC70 and EC71",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9770",
        "datePublished": "2026-07-15T00:21:06.126Z",
        "dateReserved": "2026-05-27T22:00:46.491Z",
        "dateUpdated": "2026-07-15T12:38:03.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13230 (GCVE-0-2026-13230)

    Vulnerability from nvd – Published: 2026-07-15 00:21 – Updated: 2026-07-15 12:37
    VLAI
    Title
    Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71
    Summary
    An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses. The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Kasa EC71 v4 Affected: 0 , < 2.4.1 Build 20260621 rel.76536 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Kasa EC70 v4 Affected: 0 , < 2.4.1 Build 20260621 rel.76536 (custom)
    Create a notification for this product.
    Credits
    Christopher Childress
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13230",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:36:57.835701Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:37:09.376Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Kasa EC71 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.1 Build 20260621 rel.76536",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Kasa EC70 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.1 Build 20260621 rel.76536",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christopher Childress"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which\u0026nbsp;\u003cspan\u003eexposes\nsensitive geolocation information without requiring authentication. This issue\nallows an attacker on the same local network to retrieve geolocation-related\ndata through crafted responses.\u003c/span\u003e\u003cdiv\u003e\u003cp\u003eThe\nvulnerability impacts confidentiality only, with no evidence of integrity of\navailability impact.\u003c/p\u003e\u003c/div\u003e"
                }
              ],
              "value": "An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which\u00a0exposes\nsensitive geolocation information without requiring authentication. This issue\nallows an attacker on the same local network to retrieve geolocation-related\ndata through crafted responses.\n\nThe\nvulnerability impacts confidentiality only, with no evidence of integrity of\navailability impact."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-118",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-118 Collect \u0026 Analyze Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T00:21:16.177Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec71/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec71/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5192/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-13230",
        "datePublished": "2026-07-15T00:21:16.177Z",
        "dateReserved": "2026-06-24T17:50:08.263Z",
        "dateUpdated": "2026-07-15T12:37:09.376Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5040 (GCVE-0-2026-5040)

    Vulnerability from nvd – Published: 2026-07-14 18:00 – Updated: 2026-07-15 10:27
    VLAI
    Title
    Weak Password Hashing Mechanism in TP-Link Deco M5
    Summary
    TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Deco M5 Deco M5 V1 Affected: 0 , < 1.9.4 Build 20260312 Rel.17129 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:01:00.675503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:27:47.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Deco M5 Deco M5 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.9.4 Build 20260312 Rel.17129",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\u003cbr\u003eSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\nSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:00:32.162Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/en/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/5190/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Weak Password Hashing Mechanism in TP-Link Deco M5",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-5040",
        "datePublished": "2026-07-14T18:00:32.162Z",
        "dateReserved": "2026-03-27T16:26:49.615Z",
        "dateUpdated": "2026-07-15T10:27:47.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15429 (GCVE-0-2026-15429)

    Vulnerability from nvd – Published: 2026-07-14 17:04 – Updated: 2026-07-15 03:59
    VLAI
    Title
    Privilege Escalation via Improper Input Sanitization in TP-Link Archer VX1800v
    Summary
    A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.  An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:52.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.\u0026nbsp;\u003c/div\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eAn\nauthenticated user with sufficient privileges may be able to modify account\nsettings and gain elevated administrative privileges.\u003c/p\u003e"
                }
              ],
              "value": "A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.\u00a0\n\n\n\n\n\n\n\n\n\nAn\nauthenticated user with sufficient privileges may be able to modify account\nsettings and gain elevated administrative privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:04:06.888Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Privilege Escalation via Improper Input Sanitization in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15429",
        "datePublished": "2026-07-14T17:04:06.888Z",
        "dateReserved": "2026-07-10T16:59:17.389Z",
        "dateUpdated": "2026-07-15T03:59:52.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15428 (GCVE-0-2026-15428)

    Vulnerability from nvd – Published: 2026-07-14 17:03 – Updated: 2026-07-15 03:59
    VLAI
    Title
    OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v
    Summary
    An OS command injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of the domain name parameter. An adjacent attacker who can access the relevant HTTP interface can modify the parameter to inject shell metacharacters, resulting in arbitrary code execution with root privileges. Successful exploitation may allow remote code execution and complete compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15428",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:51.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of\nthe domain name parameter. An adjacent attacker who can access the relevant\nHTTP interface can modify the parameter to inject shell metacharacters, resulting\nin arbitrary code execution with root privileges.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may allow remote code execution and complete compromise of the\ndevice.\u003c/p\u003e"
                }
              ],
              "value": "An OS\ncommand injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of\nthe domain name parameter. An adjacent attacker who can access the relevant\nHTTP interface can modify the parameter to inject shell metacharacters, resulting\nin arbitrary code execution with root privileges.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may allow remote code execution and complete compromise of the\ndevice."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:03:33.853Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15428",
        "datePublished": "2026-07-14T17:03:33.853Z",
        "dateReserved": "2026-07-10T16:59:16.057Z",
        "dateUpdated": "2026-07-15T03:59:51.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15427 (GCVE-0-2026-15427)

    Vulnerability from nvd – Published: 2026-07-14 17:02 – Updated: 2026-07-15 03:59
    VLAI
    Title
    OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v
    Summary
    An OS command injection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of parameters, allowing crafted input to be executed as system-level commands. Exploitation requires specific conditions such as TR-069 being enabled and ability to influence ACS-delivered commands, compromise or control an ACS server. Successful exploitation may allow arbitrary command execution with root privileges, resulting in complete compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:48.164Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS command\ninjection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of\nparameters, allowing crafted input to be executed as system-level commands.\nExploitation requires specific conditions such as TR-069 being enabled and ability\nto influence ACS-delivered commands, compromise or control an ACS server.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow arbitrary command execution with root privileges,\nresulting in complete compromise of the device.\u003c/p\u003e"
                }
              ],
              "value": "An OS command\ninjection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of\nparameters, allowing crafted input to be executed as system-level commands.\nExploitation requires specific conditions such as TR-069 being enabled and ability\nto influence ACS-delivered commands, compromise or control an ACS server.\n\n\n\n\n\nSuccessful\nexploitation may allow arbitrary command execution with root privileges,\nresulting in complete compromise of the device."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:02:50.086Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15427",
        "datePublished": "2026-07-14T17:02:50.086Z",
        "dateReserved": "2026-07-10T16:59:14.788Z",
        "dateUpdated": "2026-07-15T03:59:48.164Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8699 (GCVE-0-2026-8699)

    Vulnerability from nvd – Published: 2026-07-02 16:52 – Updated: 2026-07-02 17:23
    VLAI
    Title
    Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface
    Summary
    A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.  An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings. The vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer C5 v6.8 Affected: 0 , < 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n (custom)
    Create a notification for this product.
    Credits
    Jithin Nambiar J
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8699",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:23:30.577576Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:23:35.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Archer C5 v6.8",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jithin Nambiar J"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.\u0026nbsp; An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator\u0027s browser.\u003cdiv\u003eSuccessful exploitation allows execution of arbitrary JavaScript in an admin\u0027s browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003eThe vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.\u00a0 An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator\u0027s browser.Successful exploitation allows execution of arbitrary JavaScript in an admin\u0027s browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.\n\nThe vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T16:52:01.632Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/en/support/faq/5165/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-8699",
        "datePublished": "2026-07-02T16:52:01.632Z",
        "dateReserved": "2026-05-15T16:55:10.477Z",
        "dateUpdated": "2026-07-02T17:23:35.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10562 (GCVE-0-2026-10562)

    Vulnerability from nvd – Published: 2026-06-30 20:34 – Updated: 2026-07-01 15:38
    VLAI
    Title
    Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface
    Summary
    An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.  An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer AX20 V2.0 Affected: 0 , < V2_260527 (custom)
    Create a notification for this product.
    Credits
    VeyselXan (Cyb3rLynx)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10562",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:38:41.789160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:38:52.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "web"
              ],
              "product": "Archer AX20 V2.0",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V2_260527",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "VeyselXan (Cyb3rLynx)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cp\u003eAn\nunauthenticated URL redirection vulnerability has been identified in Archer\nAX20 V2 due to improper validation of user-supplied URL input within the web\ninterface.\u0026nbsp; An unauthenticated attacker\ncan craft URLs containing URL-encoded path traversal sequences.\u003c/p\u003e\n\n\u003cp\u003eWhen\nprocessed by the embedded web server, these inputs may cause the device to\nrespond with HTTP 3xx redirects to attacker-controlled external domains.\u003c/p\u003e\u003cp\u003eThis issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.\u003c/p\u003e\u003c/div\u003e"
                }
              ],
              "value": "An\nunauthenticated URL redirection vulnerability has been identified in Archer\nAX20 V2 due to improper validation of user-supplied URL input within the web\ninterface.\u00a0 An unauthenticated attacker\ncan craft URLs containing URL-encoded path traversal sequences.\n\n\n\n\n\nWhen\nprocessed by the embedded web server, these inputs may cause the device to\nrespond with HTTP 3xx redirects to attacker-controlled external domains.\n\n\n\nThis issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-194",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-194 Fake the Source of Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:34:43.577Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax20/v2/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/en/support/faq/5156/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-10562",
        "datePublished": "2026-06-30T20:34:43.577Z",
        "dateReserved": "2026-06-01T15:52:40.939Z",
        "dateUpdated": "2026-07-01T15:38:52.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9105 (GCVE-0-2026-9105)

    Vulnerability from nvd – Published: 2026-06-29 16:05 – Updated: 2026-06-29 16:18
    VLAI
    Title
    Authenticated Stack-Based Buffer Overflow in TP-Link TL-WR841N Web Interface
    Summary
    An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14. A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process. Successful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR841N v14 Affected: 0 , < V14_260518 (custom)
    Create a notification for this product.
    Credits
    Ravshan Rikhsiev (@arzedlab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T16:18:10.114028Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T16:18:26.269Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR841N v14",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V14_260518",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ravshan Rikhsiev (@arzedlab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14.  A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process.\n\u003cbr\u003eSuccessful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot.\u0026nbsp;\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14.  A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process.\n\nSuccessful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-45",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-45 Buffer Overflow via Symbolic Links"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T16:16:20.733Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr841n/v14/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr841n/v14/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5152/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Stack-Based Buffer Overflow in TP-Link TL-WR841N Web Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9105",
        "datePublished": "2026-06-29T16:05:33.521Z",
        "dateReserved": "2026-05-20T17:10:36.945Z",
        "dateUpdated": "2026-06-29T16:18:26.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12760 (GCVE-0-2026-12760)

    Vulnerability from nvd – Published: 2026-06-24 18:10 – Updated: 2026-06-24 18:53
    VLAI
    Title
    Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
    Summary
    A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 v3 Affected: 0 , < 1.4.4 Build 250922 (custom)
    Create a notification for this product.
    Credits
    Arjan Chadha, Keysight Technologies
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T18:53:30.462879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T18:53:46.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Tapo C200 v3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.4.4 Build 250922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arjan Chadha, Keysight Technologies"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u0026nbsp; An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.\u003cdiv\u003eSuccessful exploitation can remotely trigger a temporary denial-of-service condition,\u0026nbsp;\u003cspan\u003ecausing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u00a0 An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,\u00a0causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125 Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T18:10:49.967Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5143/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-12760",
        "datePublished": "2026-06-24T18:10:49.967Z",
        "dateReserved": "2026-06-19T21:06:11.577Z",
        "dateUpdated": "2026-06-24T18:53:46.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11834 (GCVE-0-2026-11834)

    Vulnerability from nvd – Published: 2026-06-22 17:53 – Updated: 2026-06-26 21:14
    VLAI
    Title
    Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
    Summary
    A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state. Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer MR200 v07 Affected: 0 , < 1.3.0 Build 250605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer MR200 v8 Affected: 0 , < 1.5.0 Build 260605 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Archer MR402 v1 Affected: 0 , < 1.5.0 Build 260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer VR2100 v1 Affected: 0 , < EU_V1_260330 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer C20 v5 Affected: 0 , < EU_V5_260317 (custom)
    Affected: 0 , < US_V5_260419 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer C20 v6 Affected: 0 , < V6_260608 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. TL-MR6400 v7 Affected: 0 , < 1.7.0 Build 260413 (custom)
    Create a notification for this product.
    Credits
    Matt Graham (mattg.systems)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11834",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T03:56:03.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR200 v07",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.3.0 Build 250605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR200 v8",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.0 Build 260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR402 v1",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.0 Build 260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer VR2100 v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "EU_V1_260330",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer C20 v5",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "EU_V5_260317",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "US_V5_260419",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer C20 v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260608",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "TL-MR6400 v7",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.7.0 Build 260413",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matt Graham (mattg.systems)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u0026nbsp;An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control.\u003c/p\u003e"
                }
              ],
              "value": "A command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u00a0An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\n\n\n\n\n\nSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T21:14:49.752Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-c20/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-mr402/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-mr200/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-mr6400/v7/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vr2100/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/archer-c20/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5141/"
            },
            {
              "url": "https://mattg.systems/posts/cve-2026-11834/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11834",
        "datePublished": "2026-06-22T17:53:48.436Z",
        "dateReserved": "2026-06-09T22:14:54.973Z",
        "dateUpdated": "2026-06-26T21:14:49.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11410 (GCVE-0-2026-11410)

    Vulnerability from nvd – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
    VLAI
    Title
    OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
    Summary
    An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR940N v6 Affected: 0 , < V6_260528 (custom)
    Create a notification for this product.
    Credits
    Duong Ton Hoang Khang of Sacombank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11410",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:56:12.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR940N v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260528",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Duong Ton Hoang Khang of Sacombank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
                }
              ],
              "value": "An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T21:03:13.733Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5131/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11410",
        "datePublished": "2026-06-16T21:03:13.733Z",
        "dateReserved": "2026-06-05T18:37:13.184Z",
        "dateUpdated": "2026-06-18T03:56:12.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11409 (GCVE-0-2026-11409)

    Vulnerability from nvd – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
    VLAI
    Title
    OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N
    Summary
    An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR940N v6 Affected: 0 , < V6_260528 (custom)
    Create a notification for this product.
    Credits
    Duong Ton Hoang Khang of Sacombank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11409",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:56:11.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR940N v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260528",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Duong Ton Hoang Khang of Sacombank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
                }
              ],
              "value": "An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T21:03:47.128Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5131/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11409",
        "datePublished": "2026-06-16T21:03:47.128Z",
        "dateReserved": "2026-06-05T18:37:11.242Z",
        "dateUpdated": "2026-06-18T03:56:11.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6250 (GCVE-0-2026-6250)

    Vulnerability from nvd – Published: 2026-06-11 20:46 – Updated: 2026-06-12 15:41
    VLAI
    Title
    Authenticated Format String Injection on TP-Link Tapo C110
    Summary
    An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-134 - Use of Externally-Controlled format string
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C110 v2 Affected: 0 , < 1.5.4 Build 260428 (custom)
    Create a notification for this product.
    Credits
    Juhyeop Lee(@juhye0p) of STEALIEN
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:41:39.052599Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:41:58.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C110 v2",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.4 Build 260428",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u0026nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\u003c/p\u003e\n\n\u003cp\u003eA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.\u003c/p\u003e"
                }
              ],
              "value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-135",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-135 Format String Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-134",
                  "description": "CWE-134 Use of Externally-Controlled format string",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T20:46:09.672Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5128/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Format String Injection on TP-Link Tapo C110",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-6250",
        "datePublished": "2026-06-11T20:46:09.672Z",
        "dateReserved": "2026-04-13T18:44:25.412Z",
        "dateUpdated": "2026-06-12T15:41:58.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9151 (GCVE-0-2026-9151)

    Vulnerability from nvd – Published: 2026-06-10 17:10 – Updated: 2026-06-11 03:55
    VLAI
    Title
    Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers
    Summary
    An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.  Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer AX12 V1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer AX18 v1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Archer AX17 v1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer AX1300 v1.6 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    Credits
    Henri Nurmi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9151",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T03:55:33.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "openvpn"
              ],
              "product": "Archer AX12 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX18 v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX17 v1",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX1300 v1.6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri Nurmi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability.\u003c/p\u003e"
                }
              ],
              "value": "An OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u00a0\n\n\n\n\n\nSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-248",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-248 Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T17:10:10.842Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax17/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax12/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax18/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5125/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9151",
        "datePublished": "2026-06-10T17:10:10.842Z",
        "dateReserved": "2026-05-20T22:32:54.201Z",
        "dateUpdated": "2026-06-11T03:55:33.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13230 (GCVE-0-2026-13230)

    Vulnerability from cvelistv5 – Published: 2026-07-15 00:21 – Updated: 2026-07-15 12:37
    VLAI
    Title
    Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71
    Summary
    An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses. The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Kasa EC71 v4 Affected: 0 , < 2.4.1 Build 20260621 rel.76536 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Kasa EC70 v4 Affected: 0 , < 2.4.1 Build 20260621 rel.76536 (custom)
    Create a notification for this product.
    Credits
    Christopher Childress
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13230",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:36:57.835701Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:37:09.376Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Kasa EC71 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.1 Build 20260621 rel.76536",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Kasa EC70 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.1 Build 20260621 rel.76536",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christopher Childress"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which\u0026nbsp;\u003cspan\u003eexposes\nsensitive geolocation information without requiring authentication. This issue\nallows an attacker on the same local network to retrieve geolocation-related\ndata through crafted responses.\u003c/span\u003e\u003cdiv\u003e\u003cp\u003eThe\nvulnerability impacts confidentiality only, with no evidence of integrity of\navailability impact.\u003c/p\u003e\u003c/div\u003e"
                }
              ],
              "value": "An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which\u00a0exposes\nsensitive geolocation information without requiring authentication. This issue\nallows an attacker on the same local network to retrieve geolocation-related\ndata through crafted responses.\n\nThe\nvulnerability impacts confidentiality only, with no evidence of integrity of\navailability impact."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-118",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-118 Collect \u0026 Analyze Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T00:21:16.177Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec71/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec71/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5192/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-13230",
        "datePublished": "2026-07-15T00:21:16.177Z",
        "dateReserved": "2026-06-24T17:50:08.263Z",
        "dateUpdated": "2026-07-15T12:37:09.376Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9770 (GCVE-0-2026-9770)

    Vulnerability from cvelistv5 – Published: 2026-07-15 00:21 – Updated: 2026-07-15 12:38
    VLAI
    Title
    Hardcoded Cryptographic Key Information Disclosure Vulnerability on TP-Link Kasa EC70 and EC71
    Summary
    Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem that is shared across devices.  An attacker with access to the firmware image can extract the embedded key.  Successful exploitation may allow an unauthenticated attacker on the same network to use this key in the web management service, compromising the confidentiality of encrypted communications. This may enable passive decryption of traffic or active man-in-the-middle (MITM) attacks
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of hard-coded cryptographic key
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Kasa EC71 v4 Affected: 0 , < 2.4.0 Build 20260520 rel.4191 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Kasa EC70 v4 Affected: 0 , < 2.4.0 Build 20260520 rel.4191 (custom)
    Create a notification for this product.
    Credits
    Christopher Childress
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9770",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:37:44.275721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:38:03.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Kasa EC71 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.0 Build 20260520 rel.4191",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Kasa EC70 v4",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "2.4.0 Build 20260520 rel.4191",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christopher Childress"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eKasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem\nthat is shared across devices.\u0026nbsp; An\nattacker with access to the firmware image can extract the embedded key.\u0026nbsp; \u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may allow an unauthenticated attacker on the same network to use\nthis key in the web management service, compromising the confidentiality of\nencrypted communications. This may enable passive decryption of traffic or\nactive man-in-the-middle (MITM) attacks\u003c/p\u003e"
                }
              ],
              "value": "Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem\nthat is shared across devices.\u00a0 An\nattacker with access to the firmware image can extract the embedded key.\u00a0 \n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may allow an unauthenticated attacker on the same network to use\nthis key in the web management service, compromising the confidentiality of\nencrypted communications. This may enable passive decryption of traffic or\nactive man-in-the-middle (MITM) attacks"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-474",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-474 Signature Spoofing by Key Theft"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of hard-coded cryptographic key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T00:21:06.126Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec71/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec71/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/ec70/v4/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5192/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hardcoded Cryptographic Key Information Disclosure Vulnerability on TP-Link Kasa EC70 and EC71",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9770",
        "datePublished": "2026-07-15T00:21:06.126Z",
        "dateReserved": "2026-05-27T22:00:46.491Z",
        "dateUpdated": "2026-07-15T12:38:03.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5040 (GCVE-0-2026-5040)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:00 – Updated: 2026-07-15 10:27
    VLAI
    Title
    Weak Password Hashing Mechanism in TP-Link Deco M5
    Summary
    TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Deco M5 Deco M5 V1 Affected: 0 , < 1.9.4 Build 20260312 Rel.17129 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:01:00.675503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:27:47.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Deco M5 Deco M5 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.9.4 Build 20260312 Rel.17129",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\u003cbr\u003eSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\nSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:00:32.162Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/en/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/5190/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Weak Password Hashing Mechanism in TP-Link Deco M5",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-5040",
        "datePublished": "2026-07-14T18:00:32.162Z",
        "dateReserved": "2026-03-27T16:26:49.615Z",
        "dateUpdated": "2026-07-15T10:27:47.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15429 (GCVE-0-2026-15429)

    Vulnerability from cvelistv5 – Published: 2026-07-14 17:04 – Updated: 2026-07-15 03:59
    VLAI
    Title
    Privilege Escalation via Improper Input Sanitization in TP-Link Archer VX1800v
    Summary
    A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.  An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:52.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.\u0026nbsp;\u003c/div\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eAn\nauthenticated user with sufficient privileges may be able to modify account\nsettings and gain elevated administrative privileges.\u003c/p\u003e"
                }
              ],
              "value": "A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.\u00a0\n\n\n\n\n\n\n\n\n\nAn\nauthenticated user with sufficient privileges may be able to modify account\nsettings and gain elevated administrative privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:04:06.888Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Privilege Escalation via Improper Input Sanitization in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15429",
        "datePublished": "2026-07-14T17:04:06.888Z",
        "dateReserved": "2026-07-10T16:59:17.389Z",
        "dateUpdated": "2026-07-15T03:59:52.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15428 (GCVE-0-2026-15428)

    Vulnerability from cvelistv5 – Published: 2026-07-14 17:03 – Updated: 2026-07-15 03:59
    VLAI
    Title
    OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v
    Summary
    An OS command injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of the domain name parameter. An adjacent attacker who can access the relevant HTTP interface can modify the parameter to inject shell metacharacters, resulting in arbitrary code execution with root privileges. Successful exploitation may allow remote code execution and complete compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15428",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:51.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of\nthe domain name parameter. An adjacent attacker who can access the relevant\nHTTP interface can modify the parameter to inject shell metacharacters, resulting\nin arbitrary code execution with root privileges.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may allow remote code execution and complete compromise of the\ndevice.\u003c/p\u003e"
                }
              ],
              "value": "An OS\ncommand injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of\nthe domain name parameter. An adjacent attacker who can access the relevant\nHTTP interface can modify the parameter to inject shell metacharacters, resulting\nin arbitrary code execution with root privileges.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may allow remote code execution and complete compromise of the\ndevice."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:03:33.853Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15428",
        "datePublished": "2026-07-14T17:03:33.853Z",
        "dateReserved": "2026-07-10T16:59:16.057Z",
        "dateUpdated": "2026-07-15T03:59:51.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15427 (GCVE-0-2026-15427)

    Vulnerability from cvelistv5 – Published: 2026-07-14 17:02 – Updated: 2026-07-15 03:59
    VLAI
    Title
    OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v
    Summary
    An OS command injection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of parameters, allowing crafted input to be executed as system-level commands. Exploitation requires specific conditions such as TR-069 being enabled and ability to influence ACS-delivered commands, compromise or control an ACS server. Successful exploitation may allow arbitrary command execution with root privileges, resulting in complete compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer VX1800v v1 Affected: 0 , < 0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n (custom)
    Create a notification for this product.
    Credits
    Klamm9
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T03:59:48.164Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Archer VX1800v v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.16.0 2.0.0 v6092.0 Build 260521 RC.7927n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Klamm9"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS command\ninjection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of\nparameters, allowing crafted input to be executed as system-level commands.\nExploitation requires specific conditions such as TR-069 being enabled and ability\nto influence ACS-delivered commands, compromise or control an ACS server.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow arbitrary command execution with root privileges,\nresulting in complete compromise of the device.\u003c/p\u003e"
                }
              ],
              "value": "An OS command\ninjection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of\nparameters, allowing crafted input to be executed as system-level commands.\nExploitation requires specific conditions such as TR-069 being enabled and ability\nto influence ACS-delivered commands, compromise or control an ACS server.\n\n\n\n\n\nSuccessful\nexploitation may allow arbitrary command execution with root privileges,\nresulting in complete compromise of the device."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:02:50.086Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5189/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-15427",
        "datePublished": "2026-07-14T17:02:50.086Z",
        "dateReserved": "2026-07-10T16:59:14.788Z",
        "dateUpdated": "2026-07-15T03:59:48.164Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8699 (GCVE-0-2026-8699)

    Vulnerability from cvelistv5 – Published: 2026-07-02 16:52 – Updated: 2026-07-02 17:23
    VLAI
    Title
    Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface
    Summary
    A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.  An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings. The vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer C5 v6.8 Affected: 0 , < 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n (custom)
    Create a notification for this product.
    Credits
    Jithin Nambiar J
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8699",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:23:30.577576Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:23:35.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Archer C5 v6.8",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jithin Nambiar J"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.\u0026nbsp; An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator\u0027s browser.\u003cdiv\u003eSuccessful exploitation allows execution of arbitrary JavaScript in an admin\u0027s browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003eThe vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.\u00a0 An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator\u0027s browser.Successful exploitation allows execution of arbitrary JavaScript in an admin\u0027s browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.\n\nThe vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T16:52:01.632Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/en/support/faq/5165/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-8699",
        "datePublished": "2026-07-02T16:52:01.632Z",
        "dateReserved": "2026-05-15T16:55:10.477Z",
        "dateUpdated": "2026-07-02T17:23:35.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10562 (GCVE-0-2026-10562)

    Vulnerability from cvelistv5 – Published: 2026-06-30 20:34 – Updated: 2026-07-01 15:38
    VLAI
    Title
    Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface
    Summary
    An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.  An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer AX20 V2.0 Affected: 0 , < V2_260527 (custom)
    Create a notification for this product.
    Credits
    VeyselXan (Cyb3rLynx)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10562",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:38:41.789160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:38:52.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "web"
              ],
              "product": "Archer AX20 V2.0",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V2_260527",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "VeyselXan (Cyb3rLynx)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cp\u003eAn\nunauthenticated URL redirection vulnerability has been identified in Archer\nAX20 V2 due to improper validation of user-supplied URL input within the web\ninterface.\u0026nbsp; An unauthenticated attacker\ncan craft URLs containing URL-encoded path traversal sequences.\u003c/p\u003e\n\n\u003cp\u003eWhen\nprocessed by the embedded web server, these inputs may cause the device to\nrespond with HTTP 3xx redirects to attacker-controlled external domains.\u003c/p\u003e\u003cp\u003eThis issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.\u003c/p\u003e\u003c/div\u003e"
                }
              ],
              "value": "An\nunauthenticated URL redirection vulnerability has been identified in Archer\nAX20 V2 due to improper validation of user-supplied URL input within the web\ninterface.\u00a0 An unauthenticated attacker\ncan craft URLs containing URL-encoded path traversal sequences.\n\n\n\n\n\nWhen\nprocessed by the embedded web server, these inputs may cause the device to\nrespond with HTTP 3xx redirects to attacker-controlled external domains.\n\n\n\nThis issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-194",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-194 Fake the Source of Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:34:43.577Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax20/v2/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/en/support/faq/5156/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-10562",
        "datePublished": "2026-06-30T20:34:43.577Z",
        "dateReserved": "2026-06-01T15:52:40.939Z",
        "dateUpdated": "2026-07-01T15:38:52.064Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9105 (GCVE-0-2026-9105)

    Vulnerability from cvelistv5 – Published: 2026-06-29 16:05 – Updated: 2026-06-29 16:18
    VLAI
    Title
    Authenticated Stack-Based Buffer Overflow in TP-Link TL-WR841N Web Interface
    Summary
    An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14. A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process. Successful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR841N v14 Affected: 0 , < V14_260518 (custom)
    Create a notification for this product.
    Credits
    Ravshan Rikhsiev (@arzedlab)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T16:18:10.114028Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T16:18:26.269Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR841N v14",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V14_260518",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ravshan Rikhsiev (@arzedlab)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14.  A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process.\n\u003cbr\u003eSuccessful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot.\u0026nbsp;\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14.  A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process.\n\nSuccessful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-45",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-45 Buffer Overflow via Symbolic Links"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T16:16:20.733Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr841n/v14/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr841n/v14/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5152/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Stack-Based Buffer Overflow in TP-Link TL-WR841N Web Interface",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9105",
        "datePublished": "2026-06-29T16:05:33.521Z",
        "dateReserved": "2026-05-20T17:10:36.945Z",
        "dateUpdated": "2026-06-29T16:18:26.269Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12760 (GCVE-0-2026-12760)

    Vulnerability from cvelistv5 – Published: 2026-06-24 18:10 – Updated: 2026-06-24 18:53
    VLAI
    Title
    Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
    Summary
    A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 v3 Affected: 0 , < 1.4.4 Build 250922 (custom)
    Create a notification for this product.
    Credits
    Arjan Chadha, Keysight Technologies
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T18:53:30.462879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T18:53:46.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Tapo C200 v3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.4.4 Build 250922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arjan Chadha, Keysight Technologies"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u0026nbsp; An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.\u003cdiv\u003eSuccessful exploitation can remotely trigger a temporary denial-of-service condition,\u0026nbsp;\u003cspan\u003ecausing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u00a0 An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,\u00a0causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125 Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T18:10:49.967Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5143/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-12760",
        "datePublished": "2026-06-24T18:10:49.967Z",
        "dateReserved": "2026-06-19T21:06:11.577Z",
        "dateUpdated": "2026-06-24T18:53:46.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11834 (GCVE-0-2026-11834)

    Vulnerability from cvelistv5 – Published: 2026-06-22 17:53 – Updated: 2026-06-26 21:14
    VLAI
    Title
    Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
    Summary
    A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state. Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer MR200 v07 Affected: 0 , < 1.3.0 Build 250605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer MR200 v8 Affected: 0 , < 1.5.0 Build 260605 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Archer MR402 v1 Affected: 0 , < 1.5.0 Build 260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer VR2100 v1 Affected: 0 , < EU_V1_260330 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer C20 v5 Affected: 0 , < EU_V5_260317 (custom)
    Affected: 0 , < US_V5_260419 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer C20 v6 Affected: 0 , < V6_260608 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. TL-MR6400 v7 Affected: 0 , < 1.7.0 Build 260413 (custom)
    Create a notification for this product.
    Credits
    Matt Graham (mattg.systems)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11834",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T03:56:03.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR200 v07",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.3.0 Build 250605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR200 v8",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.0 Build 260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer MR402 v1",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.0 Build 260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer VR2100 v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "EU_V1_260330",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer C20 v5",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "EU_V5_260317",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "US_V5_260419",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer C20 v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260608",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "TL-MR6400 v7",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.7.0 Build 260413",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matt Graham (mattg.systems)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u0026nbsp;An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control.\u003c/p\u003e"
                }
              ],
              "value": "A command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u00a0An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\n\n\n\n\n\nSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T21:14:49.752Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-c20/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-mr402/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-mr200/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-mr6400/v7/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-vr2100/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/archer-c20/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5141/"
            },
            {
              "url": "https://mattg.systems/posts/cve-2026-11834/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11834",
        "datePublished": "2026-06-22T17:53:48.436Z",
        "dateReserved": "2026-06-09T22:14:54.973Z",
        "dateUpdated": "2026-06-26T21:14:49.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11409 (GCVE-0-2026-11409)

    Vulnerability from cvelistv5 – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
    VLAI
    Title
    OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N
    Summary
    An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR940N v6 Affected: 0 , < V6_260528 (custom)
    Create a notification for this product.
    Credits
    Duong Ton Hoang Khang of Sacombank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11409",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:56:11.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR940N v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260528",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Duong Ton Hoang Khang of Sacombank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
                }
              ],
              "value": "An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T21:03:47.128Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5131/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11409",
        "datePublished": "2026-06-16T21:03:47.128Z",
        "dateReserved": "2026-06-05T18:37:11.242Z",
        "dateUpdated": "2026-06-18T03:56:11.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11410 (GCVE-0-2026-11410)

    Vulnerability from cvelistv5 – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
    VLAI
    Title
    OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
    Summary
    An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. TL-WR940N v6 Affected: 0 , < V6_260528 (custom)
    Create a notification for this product.
    Credits
    Duong Ton Hoang Khang of Sacombank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11410",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:56:12.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TL-WR940N v6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V6_260528",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Duong Ton Hoang Khang of Sacombank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
                }
              ],
              "value": "An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T21:03:13.733Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5131/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-11410",
        "datePublished": "2026-06-16T21:03:13.733Z",
        "dateReserved": "2026-06-05T18:37:13.184Z",
        "dateUpdated": "2026-06-18T03:56:12.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6250 (GCVE-0-2026-6250)

    Vulnerability from cvelistv5 – Published: 2026-06-11 20:46 – Updated: 2026-06-12 15:41
    VLAI
    Title
    Authenticated Format String Injection on TP-Link Tapo C110
    Summary
    An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-134 - Use of Externally-Controlled format string
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C110 v2 Affected: 0 , < 1.5.4 Build 260428 (custom)
    Create a notification for this product.
    Credits
    Juhyeop Lee(@juhye0p) of STEALIEN
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:41:39.052599Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:41:58.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C110 v2",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.5.4 Build 260428",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u0026nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\u003c/p\u003e\n\n\u003cp\u003eA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.\u003c/p\u003e"
                }
              ],
              "value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-135",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-135 Format String Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-134",
                  "description": "CWE-134 Use of Externally-Controlled format string",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T20:46:09.672Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5128/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Format String Injection on TP-Link Tapo C110",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-6250",
        "datePublished": "2026-06-11T20:46:09.672Z",
        "dateReserved": "2026-04-13T18:44:25.412Z",
        "dateUpdated": "2026-06-12T15:41:58.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9151 (GCVE-0-2026-9151)

    Vulnerability from cvelistv5 – Published: 2026-06-10 17:10 – Updated: 2026-06-11 03:55
    VLAI
    Title
    Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers
    Summary
    An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.  Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Archer AX12 V1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer AX18 v1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Archer AX17 v1 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Archer AX1300 v1.6 Affected: 0 , < V1_1.5.0 Build 20260605 (custom)
    Create a notification for this product.
    Credits
    Henri Nurmi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9151",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T03:55:33.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "openvpn"
              ],
              "product": "Archer AX12 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX18 v1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX17 v1",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Archer AX1300 v1.6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V1_1.5.0 Build 20260605",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri Nurmi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability.\u003c/p\u003e"
                }
              ],
              "value": "An OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u00a0\n\n\n\n\n\nSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-248",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-248 Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T17:10:10.842Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax17/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax12/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/archer-ax18/#Firmware"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5125/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-9151",
        "datePublished": "2026-06-10T17:10:10.842Z",
        "dateReserved": "2026-05-20T22:32:54.201Z",
        "dateUpdated": "2026-06-11T03:55:33.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }