Description
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
Published: 2026-02-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via the device web UI through reflected XSS
Action: Update Firmware
AI Analysis

Impact

On TP‑Link Archer C60 v3, a user‑controlled query string is reflected into the web UI’s HTML output without proper encoding, allowing an attacker to inject and execute arbitrary JavaScript when a privileged user is logged into the router. This could enable credential theft, session hijacking, or the execution of unintended commands as the device user.

Affected Systems

The affected equipment is the TP‑Link Archer C60 version 3, running firmware 3.0. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating medium severity, and an EPSS score of less than 1 %, showing a low likelihood of exploitation. It is not catalogued in CISA’s KEV list. The attack vector would typically involve an attacker crafting a malicious URL and convincing a privileged user to visit it while authenticated to the router’s web interface.

Generated by OpenCVE AI on April 16, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the TP‑Link support site for a firmware update that patches the reflected XSS flaw and install the latest release on the Archer C60.
  • If no patch is available, avoid using the router’s web UI from untrusted origins or limit remote management access to trusted IP addresses.
  • Consider disabling anonymous or remote web management entirely and use local console or SSH only from secure networks.

Generated by OpenCVE AI on April 16, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link archer C60
Tp-link archer C60 Firmware
CPEs cpe:2.3:h:tp-link:archer_c60:3.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:archer_c60_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link archer C60
Tp-link archer C60 Firmware
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link archer C50 V3
Vendors & Products Tp-link
Tp-link archer C50 V3

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
Title Reflected XSS Vulnerability on TP-Link Archer C60
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Archer C50 V3 Archer C60 Archer C60 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-03-10T16:44:13.815Z

Reserved: 2026-01-28T21:16:37.609Z

Link: CVE-2026-1571

cve-icon Vulnrichment

Updated: 2026-02-11T20:58:48.269Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T01:15:56.453

Modified: 2026-02-20T20:19:24.487

Link: CVE-2026-1571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:25Z

Weaknesses