CVE-2026-1571
Reflected XSS in TP-Link Archer C60 v3 Web UI Enables Credential Theft
Publication date: 2026-02-11
Last updated on: 2026-02-20
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | archer_c60_firmware | to 260206 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the TP-Link Archer C60 version 3 router. It occurs because user-controlled input is reflected into the HTML output of the deviceβs web user interface without proper encoding.
An attacker can exploit this by crafting a malicious URL that, when accessed, executes arbitrary JavaScript code within the context of the deviceβs web UI.
This allows the attacker to potentially perform actions such as credential theft, session hijacking, or unauthorized actions if a privileged user is targeted.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in the routerβs web interface context.
- Credential theft β attackers may steal login credentials.
- Session hijacking β attackers can take over user sessions.
- Unauthorized actions β attackers may perform unintended actions on behalf of privileged users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the TP-Link Archer C60 v3 web user interface, exploitable via a crafted URL that executes arbitrary JavaScript code.'}, {'type': 'paragraph', 'content': 'Detection involves identifying if the device is running an affected firmware version earlier than V3_260206 and testing if user-controlled input is reflected without proper encoding in the web UI.'}, {'type': 'paragraph', 'content': "A practical approach to detect this vulnerability is to access the router's web interface and attempt to inject a simple script payload in URL parameters to see if it executes or is reflected unencoded."}, {'type': 'paragraph', 'content': "Specific commands are not provided in the available resources, but you can manually test by crafting URLs with JavaScript payloads targeting the router's web UI and observing the response."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the TP-Link Archer C60 v3 router firmware to the latest version available from the official TP-Link support page.
Ensure that the firmware version is at least V3_260206 or later, as versions prior to this are vulnerable.
During the firmware upgrade, follow best practices such as using a wired connection, not interrupting power, and downloading firmware from the correct regional TP-Link website to avoid upgrade failure or warranty issues.
Avoid clicking on suspicious or untrusted URLs that could exploit this reflected XSS vulnerability until the device is patched.