Description
A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.
CVSS Metrics
- Vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Attack Vector
- network
- Complexity
- low
- Privileges
- high
- User Action
- passive
- Confidentiality
- undefined
- Integrity
- undefined
- Availability
- undefined
- Weaknesses
- CWE-942
Metadata
- Primary Vendor
- TP-LINK
- Published
- 2/13/2026
- Last Modified
- 4/1/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
tp-link : aginettp-link : decotp-link : festatp-link : kasatp-link : kidshieldtp-link : omadatp-link : omada_guardtp-link : tapotp-link : tethertp-link : tp-partnertp-link : tpcameratp-link : vigitp-link : wi-fi_navitp-link : wifi_toolkit
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.