Security Advisory: Stored Cross-Site Scripting (XSS) via Configuration File Import on TL-SG108PE (CVE-2026-34127)
Vulnerability and Impact Description:
CVE-2026-34127
A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TL-SG108PE v5.6 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed.
Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
CVSS v4.0 Score: 5.3 / Medium
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L
Affected Products/Versions and Fixes:
|
Product Model |
Hardware Version |
Fixed Firmware Version |
|
TL-SG108PE |
V5 |
1.0.1 Build 260330 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Update affected devices to the latest firmware version that fixed the vulnerability:
US: Download for TL-SG108PE | TP-Link
EN: Download for TL-SG108PE | TP-Link
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.