QwikSec

Security Database

CVE

CWE

Training

CVE-2026-1571

Published: Feb 11, 2026

Modified: Mar 10, 2026

PUBLISHED

Description

User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.

Vendor	Product	Versions
TP-Link Systems Inc.	Archer C60 v3	affected `0 - < V3_260206`

Weaknesses (CWE)

References

https://www.tp-link.com/en/support/download/archer-c60/#Firmware

patch

https://www.tp-link.com/us/support/faq/4961/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.