Home

Description

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.

PUBLISHED Reserved 2025-08-20 | Published 2026-01-22 | Updated 2026-01-23 | Assigner TPLink




MEDIUM: 5.7CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

Any version before 6.0.0.24
affected

Default status
unaffected

Any version before 6.0.0.34
affected

Default status
unaffected

Any version before 6.0.0.100
affected

Credits

Francesco La Spina, Stanislav Dashevskyi from Forescout Technologies finder

References

support.omadanetworks.com/us/download/ patch

support.omadanetworks.com/us/document/114950/ vendor-advisory

cve.org (CVE-2025-9289)

nvd.nist.gov (CVE-2025-9289)

Download JSON