CVE-2026-1571
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in TP-Link Archer C60 v3 Web UI Enables Credential Theft

Publication date: 2026-02-11

Last updated on: 2026-02-20

Assigner: TPLink

Description
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL.Β An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1571
EUVD
EUVD-2026-6258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp-link archer_c60_firmware to 260206 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the TP-Link Archer C60 version 3 router. It occurs because user-controlled input is reflected into the HTML output of the device’s web user interface without proper encoding.

An attacker can exploit this by crafting a malicious URL that, when accessed, executes arbitrary JavaScript code within the context of the device’s web UI.

This allows the attacker to potentially perform actions such as credential theft, session hijacking, or unauthorized actions if a privileged user is targeted.

Impact Analysis

The vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in the router’s web interface context.

  • Credential theft – attackers may steal login credentials.
  • Session hijacking – attackers can take over user sessions.
  • Unauthorized actions – attackers may perform unintended actions on behalf of privileged users.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the TP-Link Archer C60 v3 web user interface, exploitable via a crafted URL that executes arbitrary JavaScript code.'}, {'type': 'paragraph', 'content': 'Detection involves identifying if the device is running an affected firmware version earlier than V3_260206 and testing if user-controlled input is reflected without proper encoding in the web UI.'}, {'type': 'paragraph', 'content': "A practical approach to detect this vulnerability is to access the router's web interface and attempt to inject a simple script payload in URL parameters to see if it executes or is reflected unencoded."}, {'type': 'paragraph', 'content': "Specific commands are not provided in the available resources, but you can manually test by crafting URLs with JavaScript payloads targeting the router's web UI and observing the response."}] [1]

Mitigation Strategies

The primary mitigation step is to update the TP-Link Archer C60 v3 router firmware to the latest version available from the official TP-Link support page.

Ensure that the firmware version is at least V3_260206 or later, as versions prior to this are vulnerable.

During the firmware upgrade, follow best practices such as using a wired connection, not interrupting power, and downloading firmware from the correct regional TP-Link website to avoid upgrade failure or warranty issues.

Avoid clicking on suspicious or untrusted URLs that could exploit this reflected XSS vulnerability until the device is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart