CVE-2025-15551 MEDIUM

CVE-2025-15551: LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N

Vendor Tp-Link Systems Inc.
Product Archer MR200 v5.2
Weakness CWE-95 · Eval injection
Published February 5, 2026
Last update April 22, 2026

CVSS base score

5.9/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.

Key dates

02Disclosure timeline

February 5, 2026 CVE published
April 22, 2026 Record updated