CVE-2026-11409

HIGH

OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N

Title source: cna
STIX 2.1

Description

An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

Scores

CVSS v3 7.2
EPSS 0.0279
EPSS Percentile 84.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
tp-link/tl-wr940n_firmware < 260528
TP-Link Systems Inc./TL-WR940N v6 < V6_260528
Published Jun 17, 2026
Tracked Since Jun 17, 2026