Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Summary
| CVE | CVE-2026-34127 |
|---|---|
| State | PUBLISHED |
| Assigner | TPLink |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-29 20:16:22 UTC |
| Updated | 2026-06-01 18:35:34 UTC |
| Description | A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface. |
Risk And Classification
Primary CVSS: v4.0 5.3 MEDIUM from f23511db-6c3e-4e32-a477-6aa17d310630
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000380000 probability, percentile 0.116330000 (date 2026-06-02)
Problem Types: CWE-79 | CWE-79 CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f23511db-6c3e-4e32-a477-6aa17d310630 | Secondary | 5.3 | MEDIUM | CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 5.3 | MEDIUM | CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L |
| 3.1 | [email protected] | Primary | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
CVSS v4.0 Breakdown
Attack Vector
AdjacentAttack Complexity
LowAttack Requirements
NonePrivileges Required
HighUser Interaction
PassiveConfidentiality
HighIntegrity
LowAvailability
HighSub Conf.
LowSub Integrity
NoneSub Availability
LowCVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
RequiredScope
ChangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Tp-link | Tl-sg108pe | 5.0 | All | All | All |
| Operating System | Tp-link | Tl-sg108pe Firmware | 1.0.1 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TP-Link Systems Inc. | TL-SG108PE V5 | affected 1.0.1 Build 260330 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.tp-link.com/en/support/download/tl-sg108pe/v5 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/us/support/faq/5110 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Vendor Advisory |
| www.tp-link.com/us/support/download/tl-sg108pe/v5 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Christopher Walker (en)
There are currently no legacy QID mappings associated with this CVE.