CVE-2025-9522
MEDIUM WAF: Medium
CVSS 5.3
Published: 2026-01-26
CWE-918
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_controller | up to 6.0 |
References
- https: (Broken Link)
- support.omadanetworks.com (Vendor Advisory)