Authenticated OS Command Injection in TL-WR940N Router by TP-Link
CVE-2026-11409

8.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Tl-wr940n V6
Vendor
CVE Published:
16 June 2026

What is CVE-2026-11409?

An OS command injection vulnerability exists in the IPv6 PPPoE configuration handler of TL-WR940N v6 due to improper sanitization of user input. This flaw allows an attacker with administrative access to execute arbitrary system commands, potentially leading to unauthorized access and manipulation of the router.

Affected Version(s)

TL-WR940N v6 0

References

https://www.tp-link.com/en/support/download/tl-wr940n/v6/...
patch
https://www.tp-link.com/us/support/download/tl-wr940n/v6/...
patch
https://www.tp-link.com/us/support/faq/5131/
vendor-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Duong Ton Hoang Khang of Sacombank
.