CVE-2026-8913

UNKNOWN 0.0

Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

CWE	CWE-78
Vendor	tp-link systems inc.
Product	archer mr600 v5
Published	Jun 8, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for tp-link systems inc. archer mr600 v5

Be the first to know when new unknown vulnerabilities affecting tp-link systems inc. archer mr600 v5 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

TP-Link Systems Inc. / Archer MR600 v5

0 < EU_V5_1.7.0 0.9.1 260518 rel67803 0 < JP_V5_1.2.0 0.9.1 260519 rel52362

References

NVD ↗ CVE.org ↗ EPSS Data ↗

tp-link.com: https://www.tp-link.com/en/support/download/archer-mr600/v5/#Firmware tp-link.com: https://www.tp-link.com/jp/support/download/archer-mr600/v5/#Firmware tp-link.com: https://www.tp-link.com/us/support/faq/5122/

Credits

Akira Moroo (Ricerca Security, Inc.), Satoki Tsuji (Ricerca Security, Inc.), Anonymous