彙總 TP-Link 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、輸入驗證問題、路徑處理缺陷與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 工作階段劫持、異常行為與檔案覆寫 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-1871 | TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface unti | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.1 | 0.03% | 2026-06-02 | 2026-06-04 |
| CVE-2026-34127 | A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, | f23511db-6c3e-4e32-a477-6aa17d310630 | 5.3 | 0.03% | 2026-05-29 | 2026-06-01 |
| CVE-2026-34126 | TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.3 | 0.01% | 2026-05-28 | 2026-06-03 |
| CVE-2026-8697 | Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.7 | 0.03% | 2026-05-28 | 2026-06-03 |
| CVE-2026-5509 | An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.5 | 0.63% | 2026-05-27 | 2026-06-02 |
| CVE-2026-3294 | An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability. | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.7 | 0.05% | 2026-05-22 | 2026-06-01 |
| CVE-2026-5511 | In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data. | f23511db-6c3e-4e32-a477-6aa17d310630 | 4.6 | 0.01% | 2026-05-19 | 2026-06-01 |
| CVE-2018-25321 | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi security settings via WlanSecurityRpm.htm by tricking authenticated users into visiting attacker-controlled pages. | [email protected] | 5.3 | 0.01% | 2026-05-17 | 2026-05-18 |
| CVE-2026-5039 | TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. | f23511db-6c3e-4e32-a477-6aa17d310630 | 6.1 | 0.01% | 2026-04-23 | 2026-05-05 |
| CVE-2026-5363 | Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and co | f23511db-6c3e-4e32-a477-6aa17d310630 | 5.4 | 0.01% | 2026-04-16 | 2026-05-06 |
| CVE-2026-30818 | An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.5 | 0.14% | 2026-04-08 | 2026-05-07 |
| CVE-2026-30817 | An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | f23511db-6c3e-4e32-a477-6aa17d310630 | 6.8 | 0.01% | 2026-04-08 | 2026-05-07 |
| CVE-2026-30816 | An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | f23511db-6c3e-4e32-a477-6aa17d310630 | 6.8 | 0.01% | 2026-04-08 | 2026-05-07 |
| CVE-2026-30815 | An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.5 | 0.15% | 2026-04-08 | 2026-05-07 |
| CVE-2026-30814 | A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.3 | 0.01% | 2026-04-08 | 2026-05-07 |
| CVE-2026-34124 | A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot. | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.1 | 0.05% | 2026-04-02 | 2026-04-06 |
| CVE-2026-34122 | A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow. Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability. | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.1 | 0.01% | 2026-04-02 | 2026-04-06 |
| CVE-2026-34121 | An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may res | f23511db-6c3e-4e32-a477-6aa17d310630 | 8.7 | 0.12% | 2026-04-02 | 2026-04-06 |
| CVE-2026-34120 | A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, caus | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.1 | 0.02% | 2026-04-02 | 2026-04-06 |
| CVE-2026-34119 | A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP parsing loop when appending segmented request bodies without continuous write‑boundary verification, due to insufficient boundary validation when handling externally supplied HTTP input. An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation cause | f23511db-6c3e-4e32-a477-6aa17d310630 | 7.1 | 0.02% | 2026-04-02 | 2026-04-06 |