CVE-2026-34127

MEDIUM

Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE

Title source: cna

Description

A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.

References (3)

Core 3

Core References

Patch patch

https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware

Patch patch

https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware

Vendor Advisory vendor-advisory

https://www.tp-link.com/us/support/faq/5110/

Scores

CVSS v3 4.8

EPSS 0.0024

EPSS Percentile 14.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

tp-link/tl-sg108pe_firmware 1.0.1

TP-Link Systems Inc./TL-SG108PE v5 < 1.0.1 Build 260330

Published May 29, 2026

Tracked Since May 30, 2026