CVE-2026-10562
Received Received - Intake

Unauthenticated URL Redirection in TP-Link Archer AX20

Vulnerability report for CVE-2026-10562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: TPLink

Description

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.Β  An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
archer ax20 to 2.1.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated URL redirection issue found in Archer AX20 V2 devices. It occurs because the device's web interface does not properly validate user-supplied URL inputs. An attacker can create specially crafted URLs containing URL-encoded path traversal sequences that, when processed by the device's embedded web server, cause the device to redirect users to attacker-controlled external websites.

Impact Analysis

The vulnerability allows an unauthenticated attacker to redirect users of the Archer AX20 V2 device to malicious external websites. This can lead to phishing attacks, malware distribution, or other malicious activities by tricking users into visiting harmful sites. Since the attacker does not need to be authenticated, it increases the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart