On TP-Link TL-WR740N v4 and TL-WR740ND v4 devices, an attacker with access to the admin panel can inject HTML code and change the HTML context of the target pages and stations in the access-control settings via targets_lists_name or hosts_lists_name.

CVE: CVE-2020-14965 
CVSS: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Request parameter: targets_lists_name, hosts_lists_name 
Device:  TP-Link TL-WR740N v4 and TL-WR740ND v4
Researcher: Guilherme Rubert
Payload: ">%3E%3Cmarquee%3E

References:
https://www.tp-link.com/br/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14965
https://nvd.nist.gov/vuln/detail/CVE-2020-14965
Proof of concept