Description
An OS
command injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of
the domain name parameter. An adjacent attacker who can access the relevant
HTTP interface can modify the parameter to inject shell metacharacters, resulting
in arbitrary code execution with root privileges.









Successful
exploitation may allow remote code execution and complete compromise of the
device.
Published: 2026-07-14
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of the domain name parameter. An adjacent attacker who can access the relevant HTTP interface can modify the parameter to inject shell metacharacters, resulting in arbitrary code execution with root privileges. Successful exploitation may allow remote code execution and complete compromise of the device.
Title OS Command Injection in TR-069 (CWMP) Management Interface in TP-Link Archer VX1800v
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-07-14T17:50:30.984Z

Reserved: 2026-07-10T16:59:16.057Z

Link: CVE-2026-15428

cve-icon Vulnrichment

Updated: 2026-07-14T17:50:28.503Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')