CVE-2026-1571
MEDIUMTP-Link Archer C60 v3 < 260206 - Reflected Cross-Site Scripting via Crafted URL
Title source: llmDescription
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
References (2)
Core 2
Core References
Various Sources patch
https://www.tp-link.com/en/support/download/archer-c60/#Firmware
Various Sources vendor-advisory
https://www.tp-link.com/us/support/faq/4961/
Scores
CVSS v3
6.1
EPSS
0.0002
EPSS Percentile
4.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
tp-link/archer_c60_firmware
< 260206
Published
Feb 11, 2026
Tracked Since
Feb 18, 2026