Filtered by vendor Tp-link
Subscriptions
Total
527 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1571 | 1 Tp-link | 3 Archer C50 V3, Archer C60, Archer C60 Firmware | 2026-04-16 | 6.1 Medium |
| User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted. | ||||
| CVE-2026-0655 | 1 Tp-link | 2 Deco Be25, Deco Be25 Firmware | 2026-04-16 | 8.0 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822. | ||||
| CVE-2026-0630 | 1 Tp-link | 2 Archer Be230, Archer Be230 Firmware | 2026-04-16 | 8.0 High |
| An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) and Archer AXE75 v1.0 allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108. | ||||
| CVE-2026-0653 | 1 Tp-link | 3 Tapo C260, Tapo C260 Firmware, Tapo C260 V1 | 2026-04-16 | 6.5 Medium |
| On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution. | ||||
| CVE-2026-0654 | 1 Tp-link | 2 Deco Be25, Deco Be25 Firmware | 2026-04-16 | 8.0 High |
| Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822. | ||||
| CVE-2026-30814 | 1 Tp-link | 3 Archer Ax53, Archer Ax53 Firmware, Ax53 V1 | 2026-04-15 | 8.0 High |
| A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | ||||
| CVE-2026-30815 | 1 Tp-link | 3 Archer Ax53, Archer Ax53 Firmware, Ax53 V1 | 2026-04-15 | 8.0 High |
| An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | ||||
| CVE-2026-30816 | 1 Tp-link | 3 Archer Ax53, Archer Ax53 Firmware, Ax53 V1 | 2026-04-15 | 5.7 Medium |
| An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | ||||
| CVE-2026-30817 | 1 Tp-link | 3 Archer Ax53, Archer Ax53 Firmware, Ax53 V1 | 2026-04-15 | 5.7 Medium |
| An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | ||||
| CVE-2026-30818 | 1 Tp-link | 3 Archer Ax53, Archer Ax53 Firmware, Ax53 V1 | 2026-04-15 | 8.0 High |
| An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | ||||
| CVE-2025-6982 | 1 Tp-link | 3 Archer C50 V3, Archer C50 V4, Archer C50 V5 | 2026-04-15 | N/A |
| Use of Hard-coded Credentials in TP-Link Archer C50 V3( <= 180703)/V4( <= 250117 )/V5( <= 200407 ), allows attackers to decrypt the config.xml files. | ||||
| CVE-2025-6983 | 1 Tp-link | 1 Archer C1200 | 2026-04-15 | N/A |
| A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5. | ||||
| CVE-2025-40634 | 1 Tp-link | 1 Archer Ax50 | 2026-04-15 | N/A |
| Stack-based buffer overflow vulnerability in the 'conn-indicator' binary running as root on the TP-Link Archer AX50 router, in firmware versions prior to 1.0.15 build 241203 rel61480. This vulnerability allows an attacker to execute arbitrary code on the device over LAN and WAN networks. | ||||
| CVE-2024-53375 | 1 Tp-link | 1 Archer Axe75 Firmware | 2026-04-15 | 8 High |
| An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionality. | ||||
| CVE-2025-14553 | 3 Apple, Google, Tp-link | 4 Ios, Android, Tapo and 1 more | 2026-04-15 | N/A |
| Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | ||||
| CVE-2025-11676 | 1 Tp-link | 3 Tl-wr940n, Tl-wr940n V6, Wr940n | 2026-04-15 | N/A |
| Improper input validation vulnerability in TP-Link System Inc. TL-WR940N V6 (UPnP modules), which allows unauthenticated adjacent attackers to perform DoS attack. This issue affects TL-WR940N V6 <= Build 220801. | ||||
| CVE-2025-0729 | 1 Tp-link | 1 Tl-sg108e | 2026-04-15 | 4.3 Medium |
| A vulnerability was found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to clickjacking. The attack may be initiated remotely. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers. | ||||
| CVE-2024-38471 | 1 Tp-link | 5 Archer Airr5 Firmware, Archer Ax3000 Firmware, Archer Ax5400 Firmware and 2 more | 2026-04-15 | 6.8 Medium |
| Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi. | ||||
| CVE-2023-28760 | 1 Tp-link | 1 Archer Ax21 | 2026-04-15 | 7.5 High |
| TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad. The attacker obtains the ability to modify files.db, and that can be used to reach a stack-based buffer overflow in minidlna-1.1.2/upnpsoap.c. Exploitation requires that a USB flash drive is connected to the router (customers often do this to make a \\192.168.0.1 share available on their local network). | ||||
| CVE-2024-53623 | 1 Tp-link | 1 Archer C7 Firmware | 2026-04-15 | 7.5 High |
| Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. | ||||