PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34127 TP-Link Systems Inc. CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of TP-Link TL-SG108PE v5 switches. The vulnerability stems from improper sanitization of the SYSNAM configuration parameter during configuration file import operations. An attacker with administrative privileges can inject malicious JavaScript into device configuration files, which becomes stored and executes in an administrator's browser when viewing the affected interface. Successful exploitation may enable session cookie theft, unauthorized configuration modifications, or unauthorized access to sensitive information exposed through the management interface. The vulnerability was published to the National Vulnerability Database on May 29, 2026, and is currently awaiting analysis. The CVSS 4.0 vector indicates attack vector via adjacent network, low attack complexity, high privileges required, and user interaction present, with high impacts to confidentiality and availability.

Vendor
TP-Link Systems Inc.
Product
TL-SG108PE v5
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Network administrators managing TP-Link TL-SG108PE v5 switches; security teams responsible for network infrastructure hardening; organizations using these switches in environments requiring administrative segregation or with compliance requirements for configuration integrity

Technical summary

The vulnerability exists in the configuration import functionality of the TL-SG108PE v5 web management interface. The SYSNAM (system name) parameter lacks proper input sanitization, allowing injection of executable script content. When a configuration file containing malicious SYSNAM values is imported, the payload persists in device configuration and renders unsanitized in administrative browser sessions. The CVSS 4.0 score of 5.3 (Medium) reflects the high privilege requirement (PR:H) and user interaction dependency (UI:P), with high confidentiality and availability impacts if exploited. Attack vector is adjacent network (AV:A), indicating the management interface must be accessible from the attacker's network position.

Defensive priority

medium

Recommended defensive actions

  • Restrict administrative access to the switch web management interface to trusted networks and authorized personnel only
  • Implement network segmentation to limit management interface exposure to adjacent network segments
  • Monitor for unauthorized configuration file imports and changes to SYSNAM parameters
  • Apply firmware updates from TP-Link when security patches become available
  • Review and validate configuration files before import operations
  • Implement session management controls including short session timeouts and re-authentication for sensitive operations
  • Enable logging and alerting for administrative actions on switch management interfaces

Evidence notes

CVE published 2026-05-29T20:16:22.607Z; modified 2026-05-29T20:25:18.070Z. CVSS 4.0 vector: AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified. Vendor references include TP-Link firmware download pages and FAQ 5110.

Official resources

This vulnerability requires administrative access to exploit, limiting its attack surface to scenarios where an attacker has already compromised valid credentials or where a malicious administrator is the threat actor. Organizations should: