PT-2026-55273 · Tp Link · Archer C5
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-8699
CVSS v4.0
7.0
High
| Vector | AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Archer C5 version 6.8
Description
A stored Cross-Site Scripting (XSS) issue exists in the web-based management interface. The flaw stems from insufficient server-side validation and a lack of proper output encoding of user-controlled input. An attacker with administrative privileges can inject crafted HTML or JavaScript payloads into a specific field. These payloads are stored and executed when an administrator renders the affected page, allowing the execution of arbitrary JavaScript. This can lead to session hijacking, unauthorized access to router configuration, exposure of sensitive data, and modification of device settings. This issue specifically affects ISP-managed firmware variants.
Recommendations
As remediation is coordinated through service providers, contact your Internet Service Provider (ISP) to obtain the necessary firmware update for version 6.8.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Archer C5