CVE-2026-0654 HIGH

CVE-2026-0654: Command injection on TP-Link Deco BE25

Vendor Tp-Link Systems Inc.

Product Deco BE25 v1.0

Weakness CWE-78

Published March 2, 2026

Last update March 11, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Adjacent

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.

Key dates

02Disclosure timeline

March 2, 2026 CVE published

March 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-0654 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-0654

CWE CWE-78

CVSS 8.5 / HIGH

Affected versions