Archer C60
by TP-Link
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-4498 | Cri | 0.64 | 9.8 | 0.02 | Jan 11, 2023 | In TP-Link routers, Archer C5 and WR710N-V1, running the latest available code, when receiving HTTP Basic Authentication the httpd service can be sent a crafted packet that causes a heap overflow. This can result in either a DoS (by crashing the httpd process) or an arbitrary… | ||
| CVE-2021-35003 | Cri | 0.64 | 9.8 | 0.08 | Jan 21, 2022 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS… | ||
| CVE-2026-0834 | Hig | 0.57 | 8.8 | 0.00 | Jan 21, 2026 | Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can… | ||
| CVE-2023-38563 | Hig | 0.57 | 8.8 | 0.00 | Sep 6, 2023 | Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. | ||
| CVE-2023-37284 | Hig | 0.57 | 8.8 | 0.00 | Sep 6, 2023 | Improper authentication vulnerability in Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616' allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command via a crafted request to bypass authentication. | ||
| CVE-2023-32619 | Hig | 0.57 | 8.8 | 0.00 | Sep 6, 2023 | Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary… | ||
| CVE-2023-39224 | Hig | 0.52 | 8.0 | 0.00 | Sep 6, 2023 | Archer C5 firmware all versions and Archer C7 firmware versions prior to 'Archer C7(JP)_V2_230602' allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Note that Archer C5 is no longer supported, therefore the update for this product is not provided. | ||
| CVE-2023-31188 | Hig | 0.52 | 8.0 | 0.00 | Sep 6, 2023 | Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505', Archer C55 firmware versions prior to 'Archer… | ||
| CVE-2022-4499 | Hig | 0.49 | 7.5 | 0.01 | Jan 11, 2023 | TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and… | ||
| CVE-2023-0936 | Med | 0.42 | 6.5 | 0.01 | Feb 21, 2023 | A vulnerability was found in TP-Link Archer C50 V2_160801. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation leads to denial of service. The attack can only be initiated within the… | ||
| CVE-2025-15551 | Med | 0.36 | 5.6 | 0.00 | Feb 5, 2026 | The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack… | ||
| CVE-2026-1571 | 0.00 | — | 0.00 | Feb 11, 2026 | User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session… |
- risk 0.64cvss 9.8epss 0.02
In TP-Link routers, Archer C5 and WR710N-V1, running the latest available code, when receiving HTTP Basic Authentication the httpd service can be sent a crafted packet that causes a heap overflow. This can result in either a DoS (by crashing the httpd process) or an arbitrary…
- risk 0.64cvss 9.8epss 0.08
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS…
- risk 0.57cvss 8.8epss 0.00
Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can…
- risk 0.57cvss 8.8epss 0.00
Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
- risk 0.57cvss 8.8epss 0.00
Improper authentication vulnerability in Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616' allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command via a crafted request to bypass authentication.
- risk 0.57cvss 8.8epss 0.00
Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary…
- risk 0.52cvss 8.0epss 0.00
Archer C5 firmware all versions and Archer C7 firmware versions prior to 'Archer C7(JP)_V2_230602' allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Note that Archer C5 is no longer supported, therefore the update for this product is not provided.
- risk 0.52cvss 8.0epss 0.00
Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505', Archer C55 firmware versions prior to 'Archer…
- risk 0.49cvss 7.5epss 0.01
TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and…
- risk 0.42cvss 6.5epss 0.01
A vulnerability was found in TP-Link Archer C50 V2_160801. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation leads to denial of service. The attack can only be initiated within the…
- risk 0.36cvss 5.6epss 0.00
The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack…
- CVE-2026-1571Feb 11, 2026risk 0.00cvss —epss 0.00
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session…