CVE-2026-11410

OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N

CVSS 8.5 HIGHEPSS 2.8%CWE-78

In short

A TP-Link TL-WR940N router has a security flaw in its internet configuration settings that lets someone with admin access run any command on the device. This could allow an attacker to take complete control of your router.

Technical detail

OS command injection vulnerability in the BigPond Cable (BPA) WAN configuration module exploitable by authenticated administrators through unsanitized user input, enabling arbitrary command execution with elevated privileges on the affected router.

Summary generated and translated by AI from the official description.

An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

TP-Link Systems Inc. · TL-WR940N v6

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/us/support/faq/5131/