What is the CVSS score of CVE-2024-57514?

CVE-2024-57514 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 7.5%.

Which versions of TP-Link are affected by CVE-2024-57514?

Organizations using TP-Link Archer A20 v3 router should be aware of moderate risk from CVE-2024-57514, a cross-site scripting vulnerability rated CVSS 4.8.

Is there a public PoC exploit available for CVE-2024-57514?

Yes, a public proof-of-concept exploit is available for CVE-2024-57514. Prioritise patching immediately. EPSS: 7.5%.

How to fix or mitigate CVE-2024-57514?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Verify Content-Security-Policy and output encoding.

TP-Link CVE-2024-57514

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-01-28 cve@mitre.org

TP-Link XSS

4.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.8 MEDIUM

AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:06 vuln.today

CVE Published

Jan 28, 2025 - 22:15 nvd

MEDIUM 4.8

DescriptionCVE.org

The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.

AnalysisAI

The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More from same product – last 7 days

CVE-2026-9151 HIGH This Week

8.5 Jun 10

OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an au

CVE-2024-57514 vulnerability details – vuln.today

Back