Cross-Site Scripting (XSS) on Omada Controllers_CVE-2025-9289

5.7 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Description

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.

Basic Information

ID CVE-2025-9289

Source TPLink

Published Jan 22, 2026 at 21:48

Modified Jan 23, 2026 at 20:16

Affected Product

Vendor TP-Link Systems Inc.

Product Omada Software Controller

Affected Versions TP-Link Systems Inc. Omada Software Controller 0
TP-Link Systems Inc. Omada OC200, OC220, OC300, OC400 0
TP-Link Systems Inc. Omada cloud controller 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator\u2019s browser, potentially exposing sensitive information and compromising confidentiality.",
    "published": "2026-01-22T21:48:35.662Z",
    "modified": "2026-01-23T20:16:00.912Z",
    "type": "cve",
    "title": "Cross-Site Scripting (XSS) on Omada Controllers",
    "source": "TPLink",
    "references": "https://support.omadanetworks.com/us/download/\nhttps://support.omadanetworks.com/us/document/114950/",
    "id": "CVE-2025-9289",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "TP-Link Systems Inc. Omada Software Controller 0\nTP-Link Systems Inc. Omada OC200, OC220, OC300, OC400 0\nTP-Link Systems Inc. Omada cloud controller 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Omada Software Controller",
    "version": "0",
    "vendor": "TP-Link Systems Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}