Skip to main content

TP-Link

Vendor security scorecard – 12 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 36
12
CVEs
0
Critical
7
High
0
KEV
1
PoC
0
Unpatched C/H
91.7%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
0
HIGH
7
MEDIUM
5
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2018-25321 TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. MEDIUM 5.3 0.0% 47
PoC No patch
CVE-2026-11834 Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches. HIGH 8.7 0.4% 44
CVE-2026-3294 An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a lo HIGH 8.7 0.1% 44
CVE-2026-9151 OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models. HIGH 8.5 0.4% 42
CVE-2026-34126 Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments. HIGH 7.3 0.0% 37
CVE-2026-1871 Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link. HIGH 7.1 0.0% 36
CVE-2026-8714 Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera. HIGH 7.1 0.0% 36
CVE-2026-5040 Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point. HIGH 7.1 0.1% 36
CVE-2026-9105 Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk. MEDIUM 6.8 0.3% 34
CVE-2026-5039 TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, m MEDIUM 6.1 0.0% 31
CVE-2026-34127 Stored XSS in the TP-Link TL-SG108PE v5 web management interface allows an authenticated administrator on an adjacent network to inject persistent malicious script via the SYSNAM configuration parameter during a config file import operation. The injected payload is stored on the device and executes in any administrator's browser upon viewing the affected management page, enabling session cookie theft, unauthorized configuration changes, or exposure of sensitive management-plane data. No public exploit code has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and not automatable, consistent with the high privilege and adjacency prerequisites. MEDIUM 5.3 0.0% 27
CVE-2026-13230 Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed. MEDIUM 5.3 0.2% 26

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy