CVE-2026-8913

Summary

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.Archer MR600 v50 < EU_V5_1.7.0 0.9.1 260518 rel67803affected
TP-Link Systems Inc.Archer MR600 v50 < JP_V5_1.2.0 0.9.1 260519 rel52362affected

Weaknesses

  • CWE-78: CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References