CVE-2026-22220

EUVD-2026-5216

03.02.2026, 18:16

A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device’s web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device’s web interface to temporarily stop responding until it recovers or is rebooted.
This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.5 MEDIUM	ADJACENT_NETWORK	LOW	HIGH	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
tp-link	archer_be230_firmware	𝑥 < 1.2.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware

https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware

https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware

https://www.tp-link.com/us/support/faq/4941/