Stored Cross-Site Scripting in Archer C5 Routers by TP-Link
CVE-2026-8699
What is CVE-2026-8699?
A stored Cross-Site Scripting (XSS) vulnerability exists in the web-based management interface of Archer C5 v6.8 routers due to inadequate server-side validation and improper output encoding of user input. This allows an attacker with administrative access to inject malicious HTML or JavaScript into a designated field. When the vulnerable page is accessed, the injected payload is executed in the context of the administrator’s browser. Exploiting this vulnerability could allow for session hijacking and unauthorized access to router settings, potentially leading to sensitive data exposure or modification of device configurations. The issue specifically affects the ISP-managed firmware variants, with remediation coordinated through service providers.
Affected Version(s)
Archer C5 v6.8 0 < 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n
