CVE-2020-35813
Description
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, XR700 before 1.0.1.10, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, and RAX120 before 1.0.0.78.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR routers and WiFi systems are vulnerable to stored cross‑site scripting (XSS) before patched firmware versions, allowing attackers to inject persistent malicious scripts.
Vulnerability
A stored cross‑site scripting (XSS) vulnerability exists in the web‑based administration interface of multiple NETGEAR router and WiFi system models. Affected devices include the D7800 (before firmware version 1.0.1.56), RBK50/RBR50/RBS50/RBK40/RBR40/RBS40 (before 2.3.5.30), RBK20/RBR20/RBS20 (before 2.3.5.26), XR700 (before 1.0.1.10), R7500v2 (before 1.0.3.46), R7800 (before 1.0.2.74), R8900/R9000 (before 1.0.4.28), XR500 (before 2.3.2.56), and RAX120 (before 1.0.0.78) [1]. The vulnerability allows an attacker to store malicious script code in the device’s web interface, which is later executed when an administrator accesses the affected page [1].
Exploitation
Exploitation requires an attacker to have administrative access to the affected device’s web interface, as the XSS payload would need to be entered via a configuration field, such as the device name or another input, and stored on the device [1]. No other network position or user interaction is necessary beyond the admin performing the action that triggers the stored script [1].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the administrator’s browser session. This can lead to session hijacking, theft of sensitive credentials, or modification of device settings, compromising the confidentiality and integrity of the affected device’s management interface [1].
Mitigation
NETGEAR has released firmware fixes for all listed models as described in the security advisory [1]. Users should update to the following patched firmware versions: D7800 (1.0.1.56 or later), RBK50/RBR50/RBS50/RBK40/RBR40/RBS40 (2.3.5.30 or later), RBK20/RBR20/RBS20 (2.3.5.26 or later), XR700 (1.0.1.10 or later), R7500v2 (1.0.3.46 or later), R7800 (1.0.2.74 or later), R8900/R9000 (1.0.4.28 or later), XR500 (2.3.2.56 or later), and RAX120 (1.0.0.78 or later) [1]. No workaround is provided other than applying the firmware update [1]. The CVE is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/D7800description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.