5.3

CVE-2026-34127

Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE

A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.    





Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tp-linkTl-sg108pe Firmware Version1.0.1
   Tp-linkTl-sg108pe Version5.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.147
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.8 1.7 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
f23511db-6c3e-4e32-a477-6aa17d310630 5.3 0 0
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware
Product
https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware
Product
https://www.tp-link.com/us/support/faq/5110/
Vendor Advisory