CVE-2025-15551

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-15551

5.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

T

he response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.

References
Link Resource
https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware Product
https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware Product
https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware Product
https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware Product
https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware Product
https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware Product
https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware Product
https://www.tp-link.com/us/support/faq/4948/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:tp-link:archer_mr200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:archer_mr200:5.20:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:tp-link:archer_c20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:archer_c20:6:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:tp-link:tl-wr850n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr850n:3:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:tp-link:tl-wr845n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr845n:4:*:*:*:*:*:*:*
History

12 Feb 2026, 16:24

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.6
First Time Tp-link archer Mr200
Tp-link tl-wr850n
Tp-link
Tp-link archer C20
Tp-link tl-wr845n Firmware
Tp-link archer Mr200 Firmware
Tp-link tl-wr845n
Tp-link tl-wr850n Firmware
Tp-link archer C20 Firmware
References () https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware - () https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware - Product
References () https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware - () https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware - Product
References () https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware - () https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware - Product
References () https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware - () https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware - Product
References () https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware - () https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware - Product
References () https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware - () https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware - Product
References () https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware - () https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware - Product
References () https://www.tp-link.com/us/support/faq/4948/ - () https://www.tp-link.com/us/support/faq/4948/ - Vendor Advisory
CPE cpe:2.3:o:tp-link:tl-wr850n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:archer_mr200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:archer_c20:6:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:archer_mr200:5.20:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:archer_c20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-wr845n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr850n:3:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tl-wr845n:4:*:*:*:*:*:*:*

05 Feb 2026, 18:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-05 18:16

Updated : 2026-02-12 16:24

NVD link : CVE-2025-15551

Mitre link : CVE-2025-15551

CVE.ORG link : CVE-2025-15551

JSON object : View

Products Affected

tp-link

CWE
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')