Search criteria
2 vulnerabilities found for TL-SG108PE v5 by TP-Link Systems Inc.
CVE-2026-34127 (GCVE-0-2026-34127)
Vulnerability from nvd – Published: 2026-05-29 18:59 – Updated: 2026-05-29 19:50
VLAI
Title
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Summary
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.
Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Severity
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/faq/5110/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 |
Affected:
0 , < 1.0.1 Build 260330
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:50:05.541707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:50:18.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-SG108PE v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.1 Build 260330",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Walker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.\u003c/p\u003e"
}
],
"value": "A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u00a0 \u00a0\u00a0\n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:59:14.008Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5110/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link\u0027s TL-SG108PE",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34127",
"datePublished": "2026-05-29T18:59:14.008Z",
"dateReserved": "2026-03-25T18:54:03.344Z",
"dateUpdated": "2026-05-29T19:50:18.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34127 (GCVE-0-2026-34127)
Vulnerability from cvelistv5 – Published: 2026-05-29 18:59 – Updated: 2026-05-29 19:50
VLAI
Title
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Summary
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.
Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Severity
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/faq/5110/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 |
Affected:
0 , < 1.0.1 Build 260330
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:50:05.541707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:50:18.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-SG108PE v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.1 Build 260330",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Walker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.\u003c/p\u003e"
}
],
"value": "A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u00a0 \u00a0\u00a0\n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:59:14.008Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5110/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link\u0027s TL-SG108PE",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34127",
"datePublished": "2026-05-29T18:59:14.008Z",
"dateReserved": "2026-03-25T18:54:03.344Z",
"dateUpdated": "2026-05-29T19:50:18.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}