unauthenticated URL redirection vulnerability has been identified in Archer
AX20 V2 due to improper validation of user-supplied URL input within the web
interface. An unauthenticated attacker
can craft URLs containing URL-encoded path traversal sequences.
When
processed by the embedded web server, these inputs may cause the device to
respond with HTTP 3xx redirects to attacker-controlled external domains.
This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Tp-link
Tp-link archer Ax20 |
|
| Vendors & Products |
Tp-link
Tp-link archer Ax20 |
Tue, 30 Jun 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829. | |
| Title | Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface | |
| Weaknesses | CWE-601 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: TPLink
Published:
Updated: 2026-07-01T15:38:52.064Z
Reserved: 2026-06-01T15:52:40.939Z
Link: CVE-2026-10562
Updated: 2026-07-01T15:38:48.582Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T10:01:05Z