CVE-2026-34127: Stored XSS in TP-Link TL-SG108PE v5 Switch Management Interface
A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate input validation and output encoding of the SYSNAM configuration parameter during configuration file import in the TL-SG108PE v5's web management interface. The device fails to sanitize user-supplied data before storing it, resulting in a stored XSS condition (CWE-79). When the affected parameter is later displayed in the administrative interface without proper HTML encoding, the malicious script payload executes in the context of the administrator's browser session. The attack requires prior administrator access to upload a crafted configuration file, and successful exploitation depends on an administrator viewing the affected interface after the malicious configuration has been imported.
Business impact
Organizations managing TP-Link TL-SG108PE v5 switches face insider risk if malicious administrators or compromised administrative accounts are present. An attacker could exploit this to hijack administrator sessions, capturing authentication tokens and maintaining persistent access to network infrastructure management. This may lead to unauthorized reconfiguration of network segmentation, VLAN policies, or port forwarding rules without audit trail clarity. For enterprises relying on managed switches for network access control, this creates a pathway for lateral movement and data exfiltration. The impact is primarily contained to administrative visibility and control, not to data traversing the switch fabric itself.
Affected systems
TP-Link TL-SG108PE v5 switch and associated firmware are affected. This is a managed Layer 2/3 switch commonly deployed in small to mid-sized business networks, branch offices, and campus environments. The vulnerability is specific to v5 hardware revision; administrators should verify their hardware version via the device label or management interface. Organizations using earlier or later revisions of this model should confirm version numbers before assuming exposure or immunity.
Exploitability
Exploitation requires prior administrator-level access to the web management interface to upload a malicious configuration file. There is no unauthenticated attack vector; this is not a vulnerability that can be exploited from the network perimeter without credentials. The attack also depends on social engineering or internal compromise to trick an administrator into viewing the affected interface after the configuration is imported, or on an attacker maintaining persistent administrator access. The CVSS score of 4.8 (MEDIUM) reflects these access and interaction barriers. This is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Contact TP-Link for a firmware update that properly sanitizes the SYSNAM parameter and applies HTML encoding to all user-supplied configuration data displayed in the management interface. Interim mitigations include restricting administrative access to trusted personnel, implementing network-based access controls to the management interface (limiting access to a jump host or VPN), and monitoring for suspicious configuration file imports via any available audit logging. Review administrative account privileges and consider implementing multi-factor authentication if the switch supports it.
Patch guidance
Apply the latest firmware version released by TP-Link for the TL-SG108PE v5 after this advisory date. Consult TP-Link's support portal or contact their technical support team to obtain and verify the appropriate firmware build. Before deployment in production, test the update in a lab environment to confirm compatibility with existing configurations and network topology. Follow TP-Link's documented firmware upgrade procedure, including backup of current configuration and verification of successful installation. After patching, re-import any previously stored configuration files to ensure they do not contain residual malicious payloads from prior attacks.
Detection guidance
Monitor access logs to the switch management interface for unusual administrative login patterns or sessions originating from unexpected IP addresses. Audit configuration file import events—most managed switches log such actions if syslog or SNMP traps are enabled. Look for configuration files containing suspicious characters or encoded payloads in the SYSNAM field (e.g., script tags, event handlers, encoded entities). Inspect administrator browser sessions for unexpected network requests or cookies being exfiltrated to external domains. Network intrusion detection systems (IDS) may flag malicious scripts in HTTP POST requests during configuration import if properly tuned for XSS patterns. Endpoint Detection & Response (EDR) tools on administrator workstations can identify browser process anomalies or unauthorized certificate usage.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The requirement for pre-existing administrator access significantly limits threat surface compared to unauthenticated flaws. However, insider threats and compromised administrative credentials are real risks in many organizations. The stored nature of the XSS—combined with potential for session hijacking and unauthorized configuration changes to critical infrastructure—warrants prioritization above lower-severity issues. The absence of KEV designation suggests active exploitation is not yet widespread, reducing urgency somewhat. Organizations with strong access controls and administrative credential hygiene can safely defer patching to their next maintenance window; those with weaker administrative security posture should prioritize sooner.
Risk score, explained
CVSS 3.1 score of 4.8 (MEDIUM) reflects: (1) Network-accessible attack vector (AV:N) via the web management interface; (2) low attack complexity (AC:L)—no special technique required once admin access is obtained; (3) high privilege requirement (PR:H)—only exploitable by administrators; (4) requirement for user interaction (UI:R)—victim administrator must view the affected interface; (5) changed scope (S:C)—the XSS can affect resources beyond the vulnerable component, such as other management sessions or external systems; (6) low confidentiality and integrity impact (C:L, I:L)—session hijacking and unauthorized config changes are possible but not total compromise; (7) no availability impact (A:N). The score appropriately balances the real insider threat and session hijacking risk against the prerequisite of administrator access.
Frequently asked questions
Does this vulnerability affect my TL-SG108PE switch if it's not v5?
This advisory is specific to the TL-SG108PE v5 hardware revision. Earlier (v4 and below) and later revisions may not be affected. Verify your hardware version via the label on the device or by checking the System Information page in the web management interface. If uncertain, contact TP-Link support with your device model and serial number.
Can this be exploited if the switch is not connected to the network management interface?
The vulnerability only affects the web management interface. If your TL-SG108PE v5 is deployed with management access completely disabled or isolated to an air-gapped administrative network, the risk is substantially lower. However, disabling management entirely is impractical for most deployments; applying the patch is the recommended defense.
What should I do if I suspect a malicious configuration file was uploaded before this advisory?
Immediately reset the device to factory defaults (which will erase stored configuration) or, if you have a clean backup, restore from a known-good configuration file created before the suspected compromise date. Review administrative access logs for any unauthorized login activity. After patching the firmware, carefully re-import only configurations you can verify are legitimate and free of suspicious entries in the SYSNAM field or other configuration parameters.
Is there a workaround that avoids patching?
No complete workaround exists. The vulnerability is structural—it affects any stored configuration data. Interim risk reduction involves: (1) restricting management interface access to a protected administrative network or jump host; (2) disabling remote management if not required; (3) implementing strong access controls and multi-factor authentication for administrative accounts; (4) monitoring for suspicious configuration imports. These steps reduce risk but do not eliminate the vulnerability; patching is necessary for full remediation.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly disclosed information as of the publication date. CVSS scores, CWE classifications, and affected product lists are derived from authoritative sources (NVD, vendor advisories) and should be verified against the latest vendor documentation before operational decisions are made. Patch availability, version numbers, and remediation timelines may vary by region and distribution channel; consult TP-Link's official support channels for definitive guidance. This document does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their specific network topology, administrative practices, and threat model. SEC.co makes no warranty regarding the completeness or accuracy of detection signatures, patch effectiveness, or compatibility with specific deployments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1