CVE-2021-3275
6.1 MEDIUMUnauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Acces...
Published: 2021-03-26 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| tp-link | archer-c3150_firmware, td-w9977_firmware, tl-wa801n_firmware |
Description
Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3275
- [Exploit reference]http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html
- [Exploit reference]https://github.com/smriti548/CVE/blob/main/CVE-2021-3275
- [Exploit reference]https://seclists.org/fulldisclosure/2021/Mar/67
- [Vendor advisory]https://www.tp-link.com
- [Exploit reference]http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html
- [Exploit reference]https://github.com/smriti548/CVE/blob/main/CVE-2021-3275
- [Exploit reference]https://seclists.org/fulldisclosure/2021/Mar/67
- [Vendor advisory]https://www.tp-link.com
Related CVEs
Same vendor
- CVE-2026-6250 — An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input (8.1 HIGH)
- CVE-2026-1871 — TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorizat... (6.5 MEDIUM)
- CVE-2026-34127 — A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch d... (4.8 MEDIUM)
- CVE-2026-34126 — TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication du... (7.5 HIGH)
- CVE-2026-8697 — Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited aut... (8.8 HIGH)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)