Description
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.    





Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the configuration file import feature of TP‑Link’s TL‑SG108PE v5 switch. The flaw stems from unsanitized handling of the SYSNAM configuration field, allowing an attacker with administrator privileges to inject malicious JavaScript that is stored and later executed in any administrator’s browser when the configuration interface is viewed. The injected script can steal session cookies, modify device settings without approval, or expose protected data through the management portal.

Affected Systems

The vulnerability affects TP‑Link Systems Inc.’s TL‑SG108PE switch running firmware version 5. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because EPSS is unavailable and the vulnerability is not catalogued in CISA KEV, the likelihood of widespread exploitation appears limited. However, the attack requires initial administrative access to upload a malicious configuration file, after which any logged‑in administrator could have their session hijacked or device settings altered. With remote management enabled, attackers could potentially reach the admin interface without physical presence, increasing the practical risk.

Generated by OpenCVE AI on May 29, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update available from TP‑Link for the TL‑SG108PE v5 switch.
  • Restrict physical and network access to the device’s management interface, and enforce strict authentication for any admin operations.
  • If possible, disable or limit the configuration file import feature until a patch is applied, or monitor import activity for suspicious changes.

Generated by OpenCVE AI on May 29, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed.     Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
Title Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-05-29T19:50:18.478Z

Reserved: 2026-03-25T18:54:03.344Z

Link: CVE-2026-34127

cve-icon Vulnrichment

Updated: 2026-05-29T19:50:13.530Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:22.607

Modified: 2026-05-29T20:25:18.070

Link: CVE-2026-34127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:30:07Z

Weaknesses