CVE-2026-3294 | THREATINT

Description

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

PUBLISHED Reserved 2026-02-26 | Published 2026-05-22 | Updated 2026-05-27 | Assigner TPLink

HIGH: 8.7CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-20 Improper Input Validation

Product status

Default status

unaffected

Any version before V1_20260429

affected

Default status

unaffected

Any version before V1_20260515

affected

Default status

unaffected

Any version before V1_20260515

affected

Default status

unaffected

Any version before V4_20260515

affected

Default status

unaffected

Any version before V1_20260515

affected

Credits

Job Jobse finder

References

www.tp-link.com/en/support/download/re650/v1/ patch

www.tp-link.com/us/support/download/re650/v1/ patch

www.tp-link.com/us/support/download/re305/v1/ patch

www.tp-link.com/en/support/download/re305/v1/ patch

www.tp-link.com/us/support/download/re360/v1/ patch

www.tp-link.com/en/support/download/re360/v1/ patch

www.tp-link.com/us/support/download/tl-wa860re/v4/ patch

www.tp-link.com/en/support/download/tl-wa860re/v4/ patch

www.tp-link.com/en/support/download/re580d/ patch

www.tp-link.com/us/support/download/re580d/ patch

www.tp-link.com/us/support/faq/5101/ vendor-advisory

cve.org (CVE-2026-3294)

nvd.nist.gov (CVE-2026-3294)

Download JSON

help @ threatint.eu