CVE-2026-8699
Deferred Deferred - Pending Action

Stored XSS in TP-Link Archer C5 Router Firmware

Vulnerability report for CVE-2026-8699, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: TPLink

Description

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.Β  An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings. The vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tp-link archer_c5 to 6.8 (inc)
archer c5 6.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-8699 is a stored Cross-Site Scripting (XSS) vulnerability found in the web management interface of TP-Link Archer C5 v6.8 routers. It occurs because the server does not properly validate or encode user input in a specific field. An attacker who has administrative access can inject malicious HTML or JavaScript code into this field. This code is then stored and executed later when an administrator views the affected page, allowing the attacker to run arbitrary JavaScript in the admin's browser.

Impact Analysis

Exploiting this vulnerability can lead to several serious impacts. An attacker can hijack the administrator's session, gain unauthorized access to router configuration settings, expose sensitive data, and modify device configurations. This can compromise the security and integrity of the network managed by the affected router.

Mitigation Strategies

The vulnerability is being addressed by TP-Link through updated firmware (version 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n), which is deployed automatically by Internet Service Providers (ISPs) in India for affected devices.

Users with ISP-managed firmware do not need to take manual action as the update is handled automatically.

If you have not received the update, you should contact your ISP for confirmation or further assistance.

Compliance Impact

The vulnerability allows an attacker with administrative privileges to execute arbitrary JavaScript in an administrator's browser, potentially leading to session hijacking, unauthorized access to router configuration, exposure of sensitive data, and modification of device settings.

Exposure of sensitive data and unauthorized access caused by this vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information and ensuring secure access controls.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart