12
CVEs
0
Critical
7
High
0
KEV
1
PoC
0
Unpatched C/H
91.7%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
7
MEDIUM
5
LOW
0
Monthly CVE Trend
Affected Products (30)
Tl Wr886N Firmware
29
Tl Wr841n Firmware
22
Ex1200t Firmware
19
X15 Firmware
16
Tl Wr840N Firmware
16
Tl Wr940n Firmware
14
Ac1750 Firmware
11
Archer Ax53 Firmware
10
Archer Be230 Firmware
10
Tl Sg108E Firmware
9
Tl Wr740N Firmware
8
Tl Wdr7660 Firmware
8
Omada Er605 Firmware
8
M7350 Firmware
8
T10 Firmware
7
Nc260 Firmware
6
Tl War1750L Firmware
6
Eap Controller
6
Tl War450L Firmware
6
Tl Wvr1750L Firmware
6
Tl War2600L Firmware
6
Tl Wvr458L Firmware
6
Tl War1300L Firmware
6
Nc450 Firmware
6
Tl Wr941Nd Firmware
6
Tl War900L Firmware
6
Tl Wvr4300L Firmware
6
Tl Wvr900L Firmware
6
Nc250 Firmware
6
Tl Wvr1300L Firmware
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2018-25321 | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. | MEDIUM | 5.3 | 0.0% | 47 |
PoC
No patch
|
| CVE-2026-11834 | Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches. | HIGH | 8.7 | 0.4% | 44 |
|
| CVE-2026-3294 | An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a lo | HIGH | 8.7 | 0.1% | 44 |
|
| CVE-2026-9151 | OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models. | HIGH | 8.5 | 0.4% | 42 |
|
| CVE-2026-34126 | Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments. | HIGH | 7.3 | 0.0% | 37 |
|
| CVE-2026-1871 | Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-8714 | Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-5040 | Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point. | HIGH | 7.1 | 0.1% | 36 |
|
| CVE-2026-9105 | Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk. | MEDIUM | 6.8 | 0.3% | 34 |
|
| CVE-2026-5039 | TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, m | MEDIUM | 6.1 | 0.0% | 31 |
|
| CVE-2026-34127 | Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites. | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2026-13230 | Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed. | MEDIUM | 5.3 | 0.2% | 26 |
|