CVE-2026-9151
Published: Wed, 10 Jun 2026 18:17
Summary
An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to ex
Details
An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters. Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.
Are YOU affected by CVE-2026-9151?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-9151 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://www.tp-link.com/en/support/download/archer-ax12/#Firmware
- https://www.tp-link.com/en/support/download/archer-ax17/#Firmware
- https://www.tp-link.com/en/support/download/archer-ax18/#Firmware
- https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware
- https://www.tp-link.com/us/support/faq/5125/
StackPatch runs this match against YOUR installed packages every hour
Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.