Description
The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
Published: 2026-02-05
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can send a specially crafted request that the router processes and executes as JavaScript, because the firmware evaluates the payload with eval without sanitization. This flaw, classified as CWE‑95, enables arbitrary code to run on the router’s admin interface, allowing the attacker to modify configuration, hijack traffic, or exfiltrate information. The impact is remote code execution within the router’s administrative web portal, exposing the device to full control.

Affected Systems

Affected devices include TP‑Link Archer MR200 firmware 5.2, TP‑Link Archer C20 firmware 5 and 6, TP‑Link TL‑WR850N firmware 3, and TP‑Link TL‑WR845N firmware 4; firmware updates are available at the vendor sites linked in the references. Devices running newer firmware versions are not reported to be vulnerable.

Risk and Exploitability

The CVSS score of 5.9 rates the issue as moderate, and an EPSS score below 1% indicates a very low probability of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires an attacker to act as a Man‑in‑the‑Middle on the local network, injecting malicious JavaScript into the router’s admin response; if successful, it results in remote code execution that could alter router settings or redirect traffic.

Generated by OpenCVE AI on May 1, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware released by TP‑Link for the affected router models, which removes the unfiltered eval call.
  • If a firmware update is not yet available, restrict administrative access to the router’s web interface by whitelisting trusted IP addresses or by placing the router on a separate isolated subnet.
  • Continuously monitor local network traffic for anomalous HTTP responses or injected scripts and enforce strict firewall rules to block unexpected traffic to the admin interface.

Generated by OpenCVE AI on May 1, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
References

Thu, 12 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link archer C20 Firmware
Tp-link archer Mr200 Firmware
Tp-link tl-wr845n Firmware
Tp-link tl-wr850n Firmware
CPEs cpe:2.3:h:tp-link:archer_c20:6:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:archer_mr200:5.20:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr845n:4:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr850n:3:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:archer_c20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:archer_mr200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr845n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr850n_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link archer C20 Firmware
Tp-link archer Mr200 Firmware
Tp-link tl-wr845n Firmware
Tp-link tl-wr850n Firmware
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link archer C20
Tp-link archer Mr200
Tp-link tl-wr845n
Tp-link tl-wr850n
Vendors & Products Tp-link
Tp-link archer C20
Tp-link archer Mr200
Tp-link tl-wr845n
Tp-link tl-wr850n

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
Title LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N
Weaknesses CWE-95
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Archer C20 Archer C20 Firmware Archer Mr200 Archer Mr200 Firmware Tl-wr845n Tl-wr845n Firmware Tl-wr850n Tl-wr850n Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-22T21:35:19.737Z

Reserved: 2026-01-29T23:07:58.401Z

Link: CVE-2025-15551

cve-icon Vulnrichment

Updated: 2026-02-05T20:29:34.635Z

cve-icon NVD

Status : Modified

Published: 2026-02-05T18:16:09.593

Modified: 2026-04-22T22:16:28.350

Link: CVE-2025-15551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses