CVE-2025-15551

UNKNOWN 0.0

LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

9th

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.

CWE	CWE-95
Vendor	tp-link systems inc.
Product	archer mr200 v5.2
Published	Feb 5, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for tp-link systems inc. archer mr200 v5.2

Be the first to know when new unknown vulnerabilities affecting tp-link systems inc. archer mr200 v5.2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TP-Link Systems Inc. / Archer MR200 v5.2

0 < 1.2.0 Build 250917 Rel.51746

TP-Link Systems Inc. / Archer C20 v6

0 < 0.9.1 4.19 v0001.0 Build 250630 Rel.56583n

TP Link Systems Inc. / TL-WR850N v3

0 < 3.16.0 0.9.1 v6031.0 Build 251205 Rel.22089n

TP Link Systems Inc. / TL-WR845N v4

0 < 0.9.1 3.19 Build 251031 rel33710

TP-Link Systems Inc. / Archer C20 v5

0 < US_V5_260419 0 < EU_V5_260317

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Swaroop Dora, Deven Lunkad, Ashutosh Kumar, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad