CVE-2026-8913
Received Received - Intake
Command Injection in TP-Link Archer MR600 v5

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: TPLink

Description
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-8913
EUVD
EUVD-2026-35176
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
archer mr600 5
tp-link archer_mr600 From 1.7.0 (inc)
tp-link archer_mr600 From 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary commands on the affected device, potentially leading to a full compromise of confidentiality, integrity, and availability.

Such a compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly mention the impact on compliance with these standards or any regulatory consequences.

Executive Summary

CVE-2026-8913 is a command injection vulnerability found in the WireGuard client configuration of the TP-Link Archer MR600 v5 router.

The vulnerability occurs because the web management interface does not properly sanitize user-controlled input, allowing an authenticated attacker with administrative privileges to execute arbitrary commands when applying configuration changes.

Impact Analysis

Successful exploitation of this vulnerability can lead to a full compromise of the affected device's confidentiality, integrity, and availability.

This means an attacker could potentially take complete control over the router, access sensitive information, alter configurations, or disrupt network services.

Mitigation Strategies

To mitigate the CVE-2026-8913 vulnerability in the Archer MR600 v5 router, users should immediately update their device firmware to the latest versions released by TP-Link.

  • For the EU version, update to firmware EU_V5_1.7.0 0.9.1 260518 rel67803.
  • For the Japan version, update to firmware JP_V5_1.2.0 0.9.1 260519 rel52362.

Applying these updates addresses the improper input sanitization in the web management interface that allows command injection by authenticated administrators.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart