CVE-2026-30818
OS Command Injection in TP-Link Archer AX53 dnsmasq Module
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | archer_ax53_firmware | to 1.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated adjacent attacker to execute arbitrary code, potentially modifying device configuration and accessing sensitive information. Such unauthorized access and modification could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, specific impacts on compliance with these standards are not detailed in the provided information.
Can you explain this vulnerability to me?
This vulnerability is an OS command injection issue found in the dnsmasq module of the TP-Link Archer AX53 version 1.0. It allows an authenticated attacker who is adjacent (on the same network segment) to execute arbitrary code by processing a specially crafted configuration file. The root cause is insufficient input validation in the dnsmasq module.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can allow an attacker to modify the device's configuration, access sensitive information stored on the device, or further compromise the system's integrity by executing arbitrary code.