CVE-2026-0652
Analyzed Analyzed - Analysis Complete
Command Injection in TP-Link Tapo C260 Causes Full Compromise

Publication date: 2026-02-10

Last updated on: 2026-02-13

Assigner: TPLink

Description
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-13
Generated
2026-05-06
AI Q&A
2026-02-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-0652
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp-link tapo_c260_firmware to 1.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-0652 is a command injection vulnerability found in the TP-Link Tapo C260 v1 device. It occurs because certain POST parameters used during configuration synchronization are not properly sanitized. This flaw allows an authenticated attacker, even with guest-level privileges, to inject and execute arbitrary system commands on the device.

This means the attacker can take control of the device by exploiting this vulnerability.


How can this vulnerability impact me? :

The vulnerability can lead to full device compromise, severely impacting the confidentiality, integrity, and availability of the device.

  • Confidentiality impact: Unauthorized access to sensitive information stored or processed by the device.
  • Integrity impact: The attacker can alter device configurations or data.
  • Availability impact: The attacker can disrupt the normal operation of the device, potentially causing denial of service.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

Users are strongly advised to update the TP-Link Tapo C260 v1 device to the latest firmware version provided by TP-Link, specifically to firmware version 1.1.9 Build 251226 Rel.55870n or later.

Updating the firmware mitigates the command injection vulnerability caused by improper sanitization of certain POST parameters during configuration synchronization.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart