{"api_version":"1","generated_at":"2026-06-03T11:05:56+00:00","cve":"CVE-2026-34127","urls":{"html":"https://cve.report/CVE-2026-34127","api":"https://cve.report/api/cve/CVE-2026-34127.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34127","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34127"},"summary":{"title":"Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE","description":"A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.    \n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.","state":"PUBLISHED","assigner":"TPLink","published_at":"2026-05-29 20:16:22","updated_at":"2026-06-01 18:35:34"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"],"metrics":[{"version":"4.0","source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":5.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware","name":"https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware","refsource":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.tp-link.com/us/support/faq/5110/","name":"https://www.tp-link.com/us/support/faq/5110/","refsource":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware","name":"https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware","refsource":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34127","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34127","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"TP-Link Systems Inc.","product":"TL-SG108PE v5","version":"affected 1.0.1 Build 260330 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Christopher Walker","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"34127","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"tl-sg108pe","cpe6":"5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"34127","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"tl-sg108pe_firmware","cpe6":"1.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34127","cve":"CVE-2026-34127","epss":"0.000380000","percentile":"0.116330000","score_date":"2026-06-02","updated_at":"2026-06-03 00:08:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34127","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-29T19:50:05.541707Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-29T19:50:18.478Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"TL-SG108PE v5","vendor":"TP-Link Systems Inc.","versions":[{"lessThan":"1.0.1 Build 260330","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Christopher Walker"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.&nbsp; &nbsp;&nbsp;</p>\n\n<p>Successful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.</p>"}],"value":"A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.    \n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"ADJACENT","baseScore":5.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-29T18:59:14.008Z","orgId":"f23511db-6c3e-4e32-a477-6aa17d310630","shortName":"TPLink"},"references":[{"tags":["patch"],"url":"https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware"},{"tags":["patch"],"url":"https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware"},{"tags":["vendor-advisory"],"url":"https://www.tp-link.com/us/support/faq/5110/"}],"source":{"discovery":"UNKNOWN"},"title":"Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"f23511db-6c3e-4e32-a477-6aa17d310630","assignerShortName":"TPLink","cveId":"CVE-2026-34127","datePublished":"2026-05-29T18:59:14.008Z","dateReserved":"2026-03-25T18:54:03.344Z","dateUpdated":"2026-05-29T19:50:18.478Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-29 20:16:22","lastModifiedDate":"2026-06-01 18:35:34","problem_types":["CWE-79","CWE-79 CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"],"metrics":{"cvssMetricV40":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:tl-sg108pe_firmware:1.0.1:*:*:*:*:*:*:*","matchCriteriaId":"10182445-7806-49DE-86AE-3F04ADC3F27B"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:tl-sg108pe:5.0:*:*:*:*:*:*:*","matchCriteriaId":"17A11BAA-CD62-40ED-AD34-EC4ED3F692CB"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34127","Ordinal":"1","Title":"Stored Cross-Site Scripting (XSS) via Configuration File Import ","CVE":"CVE-2026-34127","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34127","Ordinal":"1","NoteData":"A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.    \n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.","Type":"Description","Title":"Stored Cross-Site Scripting (XSS) via Configuration File Import "}]}}}