Vulnerability Details CVE-2026-1571
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.4%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-1571
-
cpe:2.3:h:tp-link:archer_c60:3.0
-
cpe:2.3:o:tp-link:archer_c60_firmware:*