QSearchQSearch

CVE-2026-34127

4.8 MEDIUM

A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch d...

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS
4.8 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79

Affected products

VendorProduct
tp-linktl-sg108pe_firmware

Description

A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed.     Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-1871 TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorizat... (6.5 MEDIUM)
  • CVE-2026-34126 TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication du... (7.5 HIGH)
  • CVE-2026-8697 Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited aut... (8.8 HIGH)
  • CVE-2026-5509 An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execu... (7.2 HIGH)
  • CVE-2026-3294 An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to ma... (8.8 HIGH)

Same CWE

  • CVE-2026-2827 The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
  • CVE-2026-42558 Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
  • CVE-2026-53742 Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
  • CVE-2026-53741 Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
  • CVE-2026-53740 Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)