Click to skip the navigation bar

Security Advisory: Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface (CVE-2026-8699)

Security Advisory
Last updated: July 2, 2026

Vulnerability and Impact Description:

CVE-2026-8699

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field. An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.

Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.

CVSS v4.0 Score: 7.0 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Product Model

Hardware Version

Affected Firmware Version

Archer C5

V6.8

< 0.2.0 3.0.0 v6063.0 Build 260331 Rel.37416n

Recommendations:

For affected devices running ISP‑managed firmware, remediation is being handled directly by the respective Internet Service Providers (ISPs).

TP-Link has provided updated firmware to ISPs serving India and the fixed firmware is being deployed to affected devices directly as part of the ISP’s managed update process. In most cases, end users are not required to take manual action to obtain or install the update.

Firmware images for the affected ISP variants are not available for public download, and no standalone firmware links will be provided.

Customers who require confirmation of update status or have not received the update should contact their ISP for additional information.

Devices purchased through retail channels using standard TP-Link firmware are not affected by this issue.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable.

Related FAQs

Looking for More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >