CVE-2026-0652

HIGH8.7Injection

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

Low

Availability (Subsequent System)

Low

Affected products

TP-Link Systems Inc. / Tapo C260 v10 – 1.1.9 Build 251226 Rel.55870n

References

MISChttps://www.tp-link.com/us/support/download/tapo-c260/v1/
MISChttps://www.tp-link.com/en/support/download/tapo-c260/v1/
MISChttps://www.tp-link.com/us/support/faq/4960/