There are thousands of issues. I updated my comment with a few examples.
They suffer from extremely poor code quality, a complete lack of understanding of security, and severe code reuse without recording what devices the code ends up in. You can take existing TP-Link exploits, poke around in a new model of device, and often find the same vulnerable endpoint under a new "hidden" URL.
Edit: to address your specific question, CVE-2021-35004 is RCE against both routers and standalone APs.
They suffer from extremely poor code quality, a complete lack of understanding of security, and severe code reuse without recording what devices the code ends up in. You can take existing TP-Link exploits, poke around in a new model of device, and often find the same vulnerable endpoint under a new "hidden" URL.
Edit: to address your specific question, CVE-2021-35004 is RCE against both routers and standalone APs.