Stored Cross-Site Scripting Vulnerability in TP-Link TL-SG108PE Switch
CVE-2026-34127

5.3MEDIUM

Key Information:

Vendor

Tp-link Systems Inc.

Status
Tl-sg108pe V5
Vendor
CVE Published:
29 May 2026

What is CVE-2026-34127?

A stored cross-site scripting vulnerability exists within the web management interface of TP-Link's TL-SG108PE v5 switch. This flaw arises from insufficient sanitization of the SYSNAME configuration parameter during the import of configuration files. An authenticated attacker with administrative access can inject malicious scripts into the device's configuration, which are subsequently stored and executed in the browser of any administrator accessing the interface. The exploitation of this vulnerability can lead to session cookie theft, unauthorized modifications to configurations, and exposure of sensitive information accessible through the management interface.

Affected Version(s)

TL-SG108PE v5 0 < 1.0.1 Build 260330

References

https://www.tp-link.com/en/support/download/tl-sg108pe/v5...
patch
https://www.tp-link.com/us/support/download/tl-sg108pe/v5...
patch
https://www.tp-link.com/us/support/faq/5110/
vendor-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Christopher Walker
.