VYPR
← All advisories
Medium severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-34127

CVE-2026-34127

Description

A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed.

Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in TP-Link TL-SG108PE v5 switch web interface via SYSNAM parameter in config import; fixed in firmware 1.0.1 Build 260330.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of TP-Link TL-SG108PE v5.6 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration. The vulnerability affects firmware versions prior to 1.0.1 Build 260330 [3].

Exploitation

An attacker must have administrator access to the device's web interface. By importing a crafted configuration file containing malicious JavaScript in the SYSNAM parameter, the script is stored and later executed in the administrator's browser when the affected configuration page is viewed [3].

Impact

Successful exploitation allows the attacker to steal session cookies, make unauthorized configuration changes, or access sensitive information exposed through the management interface [3].

Mitigation

TP-Link has released firmware version 1.0.1 Build 260330 for TL-SG108PE v5 which fixes the vulnerability. Users should update to this firmware via the official TP-Link download page [1]. No workarounds are documented; devices not updated remain vulnerable [3].

References
  1. Download for TL-SG108PE | TP-Link
  2. Security Advisory: Stored Cross-Site Scripting (XSS) via Configuration File Import on TL-SG108PE (CVE-2026-34127)

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.