CVE-2026-9151

Published Jun 10, 2026

Last updated 4 days ago

CVSS high 8.5

Overview

Description
An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.  Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.
Source
f23511db-6c3e-4e32-a477-6aa17d310630
NVD status
Deferred

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.5
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

f23511db-6c3e-4e32-a477-6aa17d310630
CWE-78

Social media

Hype score
Not currently trending

  1. Neeeext: # CVE-2026-9151 Exploit Kit ## TP-Link Archer OpenVPN Command Injection Exploit Kit

    @YogSoth0

    13 Jun 2026

    185 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    1 Reply

    1 Quote

References

Sources include official advisories and independent security research.