{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-34127","assignerOrgId":"f23511db-6c3e-4e32-a477-6aa17d310630","state":"PUBLISHED","assignerShortName":"TPLink","dateReserved":"2026-03-25T18:54:03.344Z","datePublished":"2026-05-29T18:59:14.008Z","dateUpdated":"2026-05-29T19:50:18.478Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f23511db-6c3e-4e32-a477-6aa17d310630","shortName":"TPLink","dateUpdated":"2026-05-29T18:59:14.008Z"},"title":"Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"affected":[{"vendor":"TP-Link Systems Inc.","product":"TL-SG108PE v5","versions":[{"status":"affected","version":"0","lessThan":"1.0.1 Build 260330","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.    \n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed.&nbsp; &nbsp;&nbsp;</p>\n\n<p>Successful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.</p>"}]}],"references":[{"url":"https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware","tags":["patch"]},{"url":"https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware","tags":["patch"]},{"url":"https://www.tp-link.com/us/support/faq/5110/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L"}}],"credits":[{"lang":"en","value":"Christopher Walker","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-29T19:50:05.541707Z","id":"CVE-2026-34127","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-29T19:50:18.478Z"}}]}}