Tp Link
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Tp Link product.
RSS Feeds for Tp Link security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Tp Link products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Tp Link Sorted by Most Security Vulnerabilities since 2018
Known Exploited Tp Link Vulnerabilities
The following Tp Link vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability |
TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2023-50224 Exploit Probability: 17.5% |
September 3, 2025 |
| TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability |
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2025-9377 Exploit Probability: 11.7% |
September 3, 2025 |
| TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability |
TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2020-24363 Exploit Probability: 20.7% |
September 2, 2025 |
| TP-Link Multiple Routers Command Injection Vulnerability |
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2023-33538 Exploit Probability: 42.6% |
June 16, 2025 |
| TP-Link Archer AX-21 Command Injection Vulnerability |
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution. CVE-2023-1389 Exploit Probability: 100.0% |
May 1, 2023 |
| TP-Link Multiple Archer Devices Directory Traversal Vulnerability |
Directory traversal vulnerability in multiple TP-Link Archer devices allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/. CVE-2015-3035 Exploit Probability: 83.8% |
March 25, 2022 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Tp Link vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 97 vulnerabilities in Tp Link with an average score of 4.3 out of ten. Last year, in 2025 Tp Link had 32 security vulnerabilities published. That is, 65 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 3.20
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 97 | 4.30 |
| 2025 | 32 | 7.50 |
| 2024 | 59 | 7.52 |
| 2023 | 39 | 8.55 |
| 2022 | 11 | 7.00 |
| 2021 | 0 | 0.00 |
| 2020 | 12 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 7 | 9.80 |
It may take a day or so for new Tp Link vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Tp Link Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-6250 | Jun 11, 2026 |
Tapo C110 Authenticated Format String in ONVIF ServiceAn authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption. |
Tapo
|
| CVE-2026-9151 | Jun 10, 2026 |
TP-Link Archer VPN Module OS Command Injection v1 & v1.6An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters. Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability. |
|
| CVE-2026-8913 | Jun 08, 2026 |
Command Injection in TP-Link Archer MR600 WireGuardA command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device. |
|
| CVE-2026-6242 | Jun 05, 2026 |
Authenticated Format String in Tapo C520WS Subscribe ServiceAn authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution. Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications. |
Tapo
|
| CVE-2026-6241 | Jun 05, 2026 |
Auth Format String DoS via ONVIF AddScopes in Tapo C520WS v2An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior. Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation. |
Tapo
|
| CVE-2026-6240 | Jun 05, 2026 |
Stack Buffer Overflow in Tapo C520WS v2 ONVIF DeleteUsers (DoS)A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory. Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality. |
Tapo
|
| CVE-2026-6239 | Jun 05, 2026 |
Tapo C520WS v2 DoS via ONVIF CreateUsers stackoverflowA stackbased buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption. Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denialofservice (DoS) condition that disrupts device configuration and management functions. |
Tapo
|
| CVE-2026-34123 | Jun 05, 2026 |
Tapo C520WS v2 API Auth Bypass Lets Restricted Accounts Execute Sensitive OpsOn Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of lowsensitivity operations. Due to a logic flaw in the devices API authorization mechanism, an attacker can craft requests that leverage legitimate method mapping behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed. Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations. Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device. |
Tapo
|
| CVE-2026-8714 | Jun 05, 2026 |
DoS via RTSP in TPLink Tapo C520WS v2A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error, causing the RTSP service to enter non-responsive state. Successful exploitation may cause the RTSP in a denial-of-service condition. |
Tapo
|
| CVE-2026-1871 | Jun 02, 2026 |
TP-Link Tapo C200 v5 RTSP Auth Stack Overflow Causing DoSTP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the cameras live video stream or management interface until the service restarts. |
Tapo
|
| CVE-2026-34127 | May 29, 2026 |
XSS in TP-Link TLSG108PE v5 Switch Web UI Config ImportA stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrators browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface. |
|
| CVE-2026-34126 | May 28, 2026 |
TP-Link Tapo Cleartext Bluetooth during init (v1.0, v3.0)TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25 |
Tapo
|
| CVE-2026-8697 | May 28, 2026 |
Archer C64 SSH Debug Brute-Force ExploitDue to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability. |
|
| CVE-2026-5509 | May 27, 2026 |
TP-Link Archer routers Auth Command Injection via Web UIAn authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browsers developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the routers operating environment. |
|
| CVE-2026-3294 | May 22, 2026 |
TP-Link Range Extender admin password reset via auth bypassAn authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability. |
|
| CVE-2026-5511 | May 19, 2026 |
TP-Link Archer AX72 CLI Info Leak via Web UI ValidationIn the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data. |
|
| CVE-2018-25321 | May 17, 2026 |
CVE-2018-25321: TP-Link TL-WR720N Router CSRF Enables Admin ActionsTP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi security settings via WlanSecurityRpm.htm by tricking authenticated users into visiting attacker-controlled pages. |
|
| CVE-2026-5039 | Apr 23, 2026 |
TP-Link TL-WR841N v13 DES-CBC Vulnerability Default Key PredictableTP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. |
|
| CVE-2026-5363 | Apr 15, 2026 |
Weak RSA-1024 encryption in TP-Link Archer C7 v5/v5.8 (uhttpd) pre-20220715Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715. |
|
| CVE-2026-30818 | Apr 08, 2026 |
OS Command Injection in TP-Link Archer AX53 dnsmasq v1.0 (before 1.7.1)An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. |
|
| CVE-2026-30817 | Apr 08, 2026 |
Fileread CVE-2026-30817 in TPLink AX53 OpenVPN module before v1.7.1An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. |
|
| CVE-2026-30816 | Apr 08, 2026 |
TP-Link AX53 v1.0 OpenVPN Module eXternal Config Control File DisclosureAn external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. |
|
| CVE-2026-30815 | Apr 08, 2026 |
OpenVPN OS Command Injection in TP-Link Archer AX53 v1.0 (before 1.7.1)An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. |
|
| CVE-2026-30814 | Apr 08, 2026 |
TP-Link Archer AX53 tmpServer Stack Buffer Overflow (v1.0)A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. |
|
| CVE-2026-34124 | Apr 02, 2026 |
DoS via HTTP Path Normalization in TP-Link Tapo C520WS v2.6A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot. |
Tapo
|
| CVE-2026-34122 | Apr 02, 2026 |
TP-Link Tapo C520WS v2.6 Stack Buffer Overflow in Config HandlingA stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow. Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability. |
Tapo
|
| CVE-2026-34121 | Apr 02, 2026 |
TP-Link Tapo C520WS 2.6 Auth Bypass in DS Config HTTPAn authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state. |
Tapo
|
| CVE-2026-34120 | Apr 02, 2026 |
Heap Buffer Overflow in TP-Link Tapo C520WS v2.6 Causing DoSA heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive. |
Tapo
|
| CVE-2026-34119 | Apr 02, 2026 |
TP-Link Tapo C520WS v2.6 HTTP parse heap overflow DoSA heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP parsing loop when appending segmented request bodies without continuous writeboundary verification, due to insufficient boundary validation when handling externally supplied HTTP input. An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive. |
Tapo
|
| CVE-2026-34118 | Apr 02, 2026 |
TP-Link Tapo C520WS v2.6 Heap Buffer Overflow in HTTP POST Parsing (DoS)A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when handling externally supplied HTTP input. An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive. |
Tapo
|
| CVE-2026-4346 | Mar 26, 2026 |
TL-WR850N v3: Cleartext Admin/Wi-Fi Credentials via Weak Serial AuthThe vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi credentials in a region of the devices flash memory while the serial interface remains enabled and protected by weak authentication. An attacker with physical access and the ability to connect to the serial port can recover sensitive information, including the routers management password and wireless network key. Successful exploitation can lead to full administrative control of the device and unauthorized access to the associated wireless network. |
|
| CVE-2026-3622 | Mar 26, 2026 |
TL-WR841N v14 UPnP OOB Read Leading to DoS (CVE-2026-3622)The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation leads to an out-of-bounds read, potentially causing a crash of the UPnP service. Successful exploitation can cause the UPnP service to crash, resulting in a Denial-of-Service condition. This vulnerability affects TL-WR841N v14 < EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) and < US_0.9.1.4.19 Build 260312 Rel. 49108n (V14_0304). |
|
| CVE-2025-15606 | Mar 23, 2026 |
TP-Link TD-W8961N v4.0 HTTPD DoS via Improper Input SanitizationA Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W8961N v4.0 due to improper input sanitization, allows crafted requests to trigger a processing error that causes the httpd service to crash. Successful exploitation may allow the attacker to cause service interruption, resulting in a DoS condition. |
|
| CVE-2025-15605 | Mar 23, 2026 |
TP-Link Archer NX Series Hardcoded Key Allows Config Decryption (CVE-2025-15605)A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data. |
|
| CVE-2025-15519 | Mar 23, 2026 |
TP-Link Archer NX CLI OS Command Injection via Improper InputImproper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. |
|
| CVE-2025-15518 | Mar 23, 2026 |
TP-Link Archer CLI Command Injection via Wireless-ControlImproper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. |
|
| CVE-2025-15517 | Mar 23, 2026 |
TP-Link Archer NX Unauth HTTP CGI Firmware Upload (CVE-2025-15517)A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. |
|
| CVE-2025-15608 | Mar 20, 2026 |
TP-Link AX53 v1 - Stack Buffer Overflow RCE via Unsanitized Probe InputThis vulnerability in AX53 v1 results from insufficient input sanitization in the devices probe handling logic, where unvalidated parameters can trigger a stack-based buffer overflow that causes the affected service to crash and, under specific conditions, may enable remote code execution through complex heap-spray techniques. Successful exploitation may result in repeated service unavailability and, in certain scenarios, allow an attacker to gain control of the device. |
|
| CVE-2025-15607 | Mar 20, 2026 |
Command Injection in TP-Link AX53 v1 mscd Debug Enables Full Device CompromiseA command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device. |
|
| CVE-2026-3227 | Mar 13, 2026 |
TP-Link Router Config Import Command InjectionA command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing. Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise. |
|
| CVE-2026-1668 | Mar 13, 2026 |
Omada Switch Web Interface RCE via Unvalidated InputThe web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service. |
|
| CVE-2026-3841 | Mar 12, 2026 |
TL-MR6400 v5.3 CLI Command Injection Allows Full Device CompromiseA command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability. |
|
| CVE-2025-15568 | Mar 09, 2026 |
Archer AXE75 Web Module Command Injection (v1.6/1.0) RCE in sysmode=apA command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device. This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107. |
|
| CVE-2025-7375 | Mar 05, 2026 |
Omada EAP610 HTTP DoS via crafted requests (v<1.6.0) TP-LinkA denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the devices HTTP service to crash. This results in temporary service unavailability until the device is rebooted. This issue affects Omada EAP610 firmware versions prior to 1.6.0. |
|
| CVE-2026-0654 | Mar 02, 2026 |
TP-Link Deco BE25 v1.0/1.1.1 OS Command Injection via Admin WebImproper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822. |
|
| CVE-2026-0655 | Mar 02, 2026 |
TP-Link Deco BE25 1.0-1.1.1 Path Traversal via Web ModulesImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822. |
|
| CVE-2025-9293 | Feb 13, 2026 |
TLS Cert Validation Flaw Enabling Acceptance of Untrusted Server IdentitiesA vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data. |
Tapo
Omada
Festa
And others... |
| CVE-2025-9292 | Feb 13, 2026 |
TP-Link Omada Cloud Controller CORS BypassA permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TPLink. No user action is required. |
Omada
|
| CVE-2026-1571 | Feb 11, 2026 |
Arbitrary JS execution via reflected XSS in TP-Link Archer C60 v3 UIUser-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted. |
|
| CVE-2026-0651 | Feb 10, 2026 |
TP-Link Tapo C260 v1 Path Traversal via HTTPS GETA path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP servers handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets. |
Tapo
|