CVE-2025-9289 MEDIUM

CVE-2025-9289: Cross-Site Scripting (XSS) on Omada Controllers

Vendor Tp-Link Systems Inc.
Product Omada Software Controller
Weakness CWE-79 · XSS
Published January 22, 2026
Last update January 23, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-47495 WordPress Blockspare plugin <= 3.2.9 - Cross Site Scripting (XSS) Vulnerability CVE-2024-0848 AA Cash Calculator <= 1.0 - Reflected Cross-Site Scripting via invoice CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode CVE-2024-28190 Contao core bundle vulnerable to cross site scripting in the file manager CVE-2024-1842 WPBakery Visual Composer <= 7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Heading tag attribute