CVE-2026-3294
HIGH WAF: Medium
CVSS 8.8
Published: 2026-05-22
CWE-20 CWE-862
An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tp-link | re305_firmware | up to 20260515 |
| tp-link | re360_firmware | up to 20260515 |
| tp-link | re580d_firmware | up to 20260515 |
| tp-link | re650_firmware | up to 20260429 |
| tp-link | tl-wa860re_firmware | up to 20260515 |
References
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Product)