CVE-2026-10562
Received
Received - Intake
Unauthenticated URL Redirection in TP-Link Archer AX20
Vulnerability report for CVE-2026-10562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-30
Last updated on: 2026-06-30
Assigner: TPLink
Description
Description
An
unauthenticated URL redirection vulnerability has been identified in Archer
AX20 V2 due to improper validation of user-supplied URL input within the web
interface.Β An unauthenticated attacker
can craft URLs containing URL-encoded path traversal sequences.
When
processed by the embedded web server, these inputs may cause the device to
respond with HTTP 3xx redirects to attacker-controlled external domains.
This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| archer | ax20 | to 2.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |