Skip to main content

TP-Link Archer C5 CVE-2026-8699

| EUVDEUVD-2026-41407 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 f23511db-6c3e-4e32-a477-6aa17d310630 GHSA-2rgg-wpwx-p48p
7.0
CVSS 4.0 · Vendor: f23511db-6c3e-4e32-a477-6aa17d310630
Share

Severity by source

Vendor (f23511db-6c3e-4e32-a477-6aa17d310630) PRIMARY
7.0 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Adjacent management interface (AV:A) and existing admin access (PR:H) are required, a second admin must view the page (UI:R), and stored script crossing into the victim's session yields scope change with high confidentiality/integrity but no availability impact.

3.1 AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (f23511db-6c3e-4e32-a477-6aa17d310630).

CVSS VectorVendor: f23511db-6c3e-4e32-a477-6aa17d310630

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 18:01 EUVD
Analysis Generated
Jul 02, 2026 - 17:30 vuln.today

DescriptionCVE.org

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.  An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.

The vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.

AnalysisAI

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain admin access to Archer C5 UI
Delivery
Inject stored XSS payload into vulnerable field
Exploit
Payload persisted server-side
Execution
Second admin renders affected page
Persist
Script executes in admin browser
Impact
Steal session and alter router config

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess administrative privileges on the Archer C5 web management interface (CVSS PR:H) and adjacent-network access to that interface (AV:A) - it is not remotely reachable across the internet by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H, base 7.0) tells a consistent story with the description: exploitation requires adjacent-network reachability to the management interface, high privileges (an existing administrator account, PR:H), and active victim interaction (UI:A) by a second admin who renders the poisoned page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds administrative access to the Archer C5 web interface (for example a rogue co-administrator, a compromised admin session, or an ISP-side insider) injects a crafted JavaScript payload into a vulnerable configuration field. When a second, higher-trust administrator later opens the affected page, the stored script runs in their authenticated browser session, enabling session/cookie theft and silent modification of router settings. …
Remediation No vendor-released patch version was identified in the available data; the only reference is a TP-Link support FAQ (https://www.tp-link.com/en/support/faq/5165/) and the description states remediation is coordinated through the service provider, so affected users should contact their ISP to confirm and obtain the corrected ISP-managed firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit and catalog all TP-Link Archer C5 v6.8 devices in infrastructure; implement firewall rules restricting web management interface access to trusted administrative networks only; review all active administrator accounts for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy