Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed.
Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
AnalysisAI
Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites.
Technical ContextAI
The affected product is the TP-Link TL-SG108PE v5 managed gigabit switch (CPE: cpe:2.3:a:tp-link_systems_inc.:tl-sg108pe_v5:*:*:*:*:*:*:*:*), which exposes an HTTP-based web management interface for device administration. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): the SYSNAM field within an imported configuration file is not properly sanitized or encoded before being written to persistent storage and subsequently rendered in the management UI. Because the payload is stored rather than reflected, it does not require repeated delivery and persists across sessions until the device is reconfigured or patched. The attack surface is the configuration import feature of the management interface, a privileged operation, which means the injection vector is gated behind an authenticated admin session on an adjacent network segment.
RemediationAI
The primary fix is to upgrade the TL-SG108PE v5 firmware to version 1.0.1 Build 260330 or later, which is confirmed available from the TP-Link vendor advisory at https://www.tp-link.com/us/support/faq/5110/ and downloadable from https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware or the international mirror https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware. Until patching is complete, the following compensating controls reduce exposure: restrict access to the switch management interface to a dedicated, isolated out-of-band management VLAN accessible only to trusted administrator workstations; disable configuration file import functionality if it is not operationally required (note: disabling this feature may limit disaster recovery options); enforce multi-factor authentication or session timeouts on administrator accounts to reduce the window of value for stolen session cookies. These mitigations do not eliminate the vulnerability but substantially raise the bar for exploitation given the existing adjacency and high-privilege prerequisites.
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set
Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c
Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta
TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33420
GHSA-pmw4-462f-6fp3