Stored Cross-Site Scripting in Archer C5 Routers by TP-Link
CVE-2026-8699

7HIGH

What is CVE-2026-8699?

A stored Cross-Site Scripting (XSS) vulnerability exists in the web-based management interface of Archer C5 v6.8 routers due to inadequate server-side validation and improper output encoding of user input. This allows an attacker with administrative access to inject malicious HTML or JavaScript into a designated field. When the vulnerable page is accessed, the injected payload is executed in the context of the administrator’s browser. Exploiting this vulnerability could allow for session hijacking and unauthorized access to router settings, potentially leading to sensitive data exposure or modification of device configurations. The issue specifically affects the ISP-managed firmware variants, with remediation coordinated through service providers.

Affected Version(s)

Archer C5 v6.8 0 < 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jithin Nambiar J
.