Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on...

2 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

Basic Information

ID CVE-2025-9292

Source TPLink

Published Feb 13, 2026 at 00:21

Affected Product

Vendor TP-Link Systems Inc.

Product Omada Cloud Controller

Affected Versions TP-Link Systems Inc. Omada Cloud Controller 0

CWE Classification

CWE-942

References

www.tp-link.com /us/support/faq/4969/

{
    "lastseen": "",
    "description": "A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances.  Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface.  Successful exploitation could allow unauthorized disclosure of sensitive information.\u00a0Fixed in updated Omada Cloud Controller service versions deployed automatically by TP\u2011Link. No user action is required.",
    "published": "2026-02-13T00:21:24.168Z",
    "modified": "2026-02-13T00:21:24.168Z",
    "type": "cve",
    "title": "Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers",
    "source": "TPLink",
    "references": "https://www.tp-link.com/us/support/faq/4969/",
    "id": "CVE-2025-9292",
    "bulletinFamily": "",
    "cwe": [
        "CWE-942"
    ],
    "cvelist": null,
    "sourceData": "TP-Link Systems Inc. Omada Cloud Controller 0",
    "sourceHref": "",
    "cvss": {
        "score": 2,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Omada Cloud Controller",
    "version": "0",
    "vendor": "TP-Link Systems Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers_CVE-2025-9292