76
CVEs
0
Critical
58
High
1
KEV
1
PoC
26
Unpatched C/H
50.0%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
58
MEDIUM
17
LOW
0
Monthly CVE Trend
Affected Products (30)
Tl Wr886N Firmware
29
Tl Wr841n Firmware
22
Ex1200t Firmware
19
X15 Firmware
16
Tl Wr840N Firmware
16
Tl Wr940n Firmware
14
Ac1750 Firmware
11
Archer Ax53 Firmware
10
Archer Be230 Firmware
10
Tl Sg108E Firmware
9
Tl Wr740N Firmware
8
Tl Wdr7660 Firmware
8
Omada Er605 Firmware
8
M7350 Firmware
8
T10 Firmware
7
Nc260 Firmware
6
Tl War1750L Firmware
6
Eap Controller
6
Tl War450L Firmware
6
Tl Wvr1750L Firmware
6
Tl War2600L Firmware
6
Tl Wvr458L Firmware
6
Tl War1300L Firmware
6
Nc450 Firmware
6
Tl Wr941Nd Firmware
6
Tl War900L Firmware
6
Tl Wvr4300L Firmware
6
Tl Wvr900L Firmware
6
Nc250 Firmware
6
Tl Wvr1300L Firmware
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-9377 | TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental Control page, affecting end-of-life devices with no patch available. | HIGH | 8.6 | 15.6% | 119 |
KEV
No patch
|
| CVE-2018-25321 | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 5.3 | 0.0% | 47 |
PoC
No patch
|
| CVE-2025-14756 | Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.3% | 44 |
No patch
|
| CVE-2026-0652 | Authenticated attackers can execute arbitrary commands on TP-Link Tapo C260 v1 cameras through command injection in POST parameters during configuration synchronization, potentially achieving complete device compromise. The vulnerability stems from insufficient input validation and affects confidentiality, integrity, and availability with no patch currently available. | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2026-1457 | Remote code execution in TP-Link VIGI C385 cameras results from improper input validation in the Web API that allows authenticated attackers to trigger buffer overflows and corrupt memory. An attacker with valid credentials can exploit this vulnerability to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity issue. | HIGH | 8.8 | 0.1% | 44 |
No patch
|
| CVE-2025-15557 | An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-11834 | Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches. | HIGH | 8.7 | 0.4% | 44 |
|
| CVE-2026-3294 | An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a lo | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2026-34121 | TP-Link Tapo C520WS v2.6 contains an authentication bypass in its HTTP-based DS configuration service that allows unauthenticated attackers to execute privileged device configuration actions by appending authentication-exempt parameters to requests. The vulnerability stems from inconsistent JSON request parsing and authorization logic, enabling unauthorized modification of device state without requiring valid credentials. No public exploit code has been identified at time of analysis, and a vendor-released patch is available. | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2025-14300 | Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries. | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2026-22226 | Authenticated command injection in the TP-Link Archer BE230 v1.2 router (firmware prior to 1.2.4 Build 20251218 rel.70420) allows an administrator on the adjacent network to execute arbitrary OS commands via the VPN server configuration module. No public exploit identified at time of analysis, and EPSS of 0.99% (77th percentile) suggests modest near-term exploitation likelihood, though successful exploitation yields full device takeover. This CVE is one of several distinct command injection flaws disclosed across separate code paths in the same firmware. | HIGH | 8.5 | 1.0% | 43 |
|
| CVE-2025-15517 | A missing authentication check in the HTTP server of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) allows unauthenticated attackers to access privileged CGI endpoints intended for authenticated administrators. An attacker can perform critical operations including firmware upload and configuration changes without providing valid credentials, effectively gaining administrative control over the device. A vendor patch is available, and this vulnerability represents a direct authentication bypass with severe real-world exploitation potential. | HIGH | 8.6 | 0.0% | 43 |
|
| CVE-2026-3841 | A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. | HIGH | 8.5 | 0.5% | 43 |
No patch
|
| CVE-2026-3227 | Authenticated attackers can achieve root-level command execution on TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 routers by uploading a malicious configuration file through the import function, exploiting improper input validation in the port-trigger processing logic. Successful exploitation grants complete control over the affected device, allowing full compromise of the router and any connected network. A patch is available for this high-severity vulnerability. | HIGH | 8.5 | 0.4% | 43 |
|
| CVE-2026-30818 | OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis. | HIGH | 8.5 | 0.4% | 43 |
|