CVE-2026-34127— Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Possible ATT&CK Techniques 3AI
T1114 · Email Collection T1005 · Data from Local System T1505.003 · Web ShellAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 | < 1.0.1 Build 260330 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34127
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Source: NVD (National Vulnerability Database)
Vulnerability Description
A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 | 0 ~ 1.0.1 Build 260330 | - |
II. Public POCs for CVE-2026-34127
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-34127
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-34127 (1)
Vendor Pages for CVE-2026-34127 (2)
IV. Related Vulnerabilities
Same vendor: TP-Link Systems Inc.
- CVE-2026-34126
Bluetooth Communication Uses Unencrypted Transmission During - CVE-2026-8697
Improper Authentication Rate Limiting on TP-Link's Archer C6 - CVE-2026-5509
Arbitrary Command Injection via Browser Developer Console in - CVE-2026-3294
Authentication Logic Vulnerability on Multiple TP-Link Range - CVE-2026-5511
Information Disclosure via Diagnostic Interface Due to Impro
V. Comments for CVE-2026-34127
No comments yet