High severity7.5NVD Advisory· Published Feb 13, 2026· Updated Apr 1, 2026

CVE-2025-9292

Description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

Affected products

TP-Link/Aginet
cpe:2.3:a:tp-link:aginet:*:*:*:*:*:*:*:*
Range: <2.13.6
TP-Link/Deco
cpe:2.3:a:tp-link:deco:*:*:*:*:*:*:*:*
Range: <3.9.163
TP-Link/Festa
cpe:2.3:a:tp-link:festa:*:*:*:*:*:*:*:*
Range: <1.7.1
TP-Link/Kasa
cpe:2.3:a:tp-link:kasa:*:*:*:*:*:*:*:*
Range: <3.4.350
TP-Link/Kidshield
cpe:2.3:a:tp-link:kidshield:*:*:*:*:*:*:*:*
Range: <1.1.21
TP-Link/Omada
cpe:2.3:a:tp-link:omada:*:*:*:*:*:*:*:*
Range: <4.25.25
TP-Link/Omada Guard
cpe:2.3:a:tp-link:omada_guard:*:*:*:*:*:*:*:*
Range: <1.1.28
TP-Link/Tapo
cpe:2.3:a:tp-link:tapo:*:*:*:*:*:*:*:*
Range: <3.14.111
TP-Link/Tether
cpe:2.3:a:tp-link:tether:*:*:*:*:*:*:*:*
Range: <4.12.27
TP-Link/Tp Partner
cpe:2.3:a:tp-link:tp-partner:*:*:*:*:*:*:*:*
Range: <2.0.1
TP-Link/Tpcamera
cpe:2.3:a:tp-link:tpcamera:*:*:*:*:*:*:*:*
Range: <3.2.17
TP-Link/Vigi
cpe:2.3:a:tp-link:vigi:*:*:*:*:*:*:*:*
Range: <2.7.70
TP-Link/Wi Fi Navi
cpe:2.3:a:tp-link:wi-fi_navi:*:*:*:*:*:*:*:*
Range: <1.5.5
TP-Link/Wifi Toolkit
cpe:2.3:a:tp-link:wifi_toolkit:*:*:*:*:*:*:*:*
Range: <1.4.28

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.omadanetworks.com/us/support/faq/4969/nvdVendor Advisory
www.tp-link.com/us/support/faq/4969/nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000