CVE-2026-3294

Severity CVSS v4.0:
HIGH
Type:
CWE-20 Input Validation
Publication date:
22/05/2026
Last modified:
01/06/2026

Description

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation.<br /> <br /> Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:tp-link:re305_firmware:*:*:*:*:*:*:*:* 20260515 (excluding)
cpe:2.3:h:tp-link:re305:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:re360_firmware:*:*:*:*:*:*:*:* 20260515 (excluding)
cpe:2.3:h:tp-link:re360:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:re580d_firmware:*:*:*:*:*:*:*:* 20260515 (excluding)
cpe:2.3:h:tp-link:re580d:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:re650_firmware:*:*:*:*:*:*:*:* 20260429 (excluding)
cpe:2.3:h:tp-link:re650:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wa860re_firmware:*:*:*:*:*:*:*:* 20260515 (excluding)
cpe:2.3:h:tp-link:tl-wa860re:4.0:*:*:*:*:*:*:*