CVE-2026-0652
Analyzed Analyzed - Analysis Complete
Command Injection in TP-Link Tapo C260 Causes Full Compromise

Publication date: 2026-02-10

Last updated on: 2026-02-13

Assigner: TPLink

Description
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0652
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp-link tapo_c260_firmware to 1.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0652 is a command injection vulnerability found in the TP-Link Tapo C260 v1 device. It occurs because certain POST parameters used during configuration synchronization are not properly sanitized. This flaw allows an authenticated attacker, even with guest-level privileges, to inject and execute arbitrary system commands on the device.

This means the attacker can take control of the device by exploiting this vulnerability.

Impact Analysis

The vulnerability can lead to full device compromise, severely impacting the confidentiality, integrity, and availability of the device.

  • Confidentiality impact: Unauthorized access to sensitive information stored or processed by the device.
  • Integrity impact: The attacker can alter device configurations or data.
  • Availability impact: The attacker can disrupt the normal operation of the device, potentially causing denial of service.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Users are strongly advised to update the TP-Link Tapo C260 v1 device to the latest firmware version provided by TP-Link, specifically to firmware version 1.1.9 Build 251226 Rel.55870n or later.

Updating the firmware mitigates the command injection vulnerability caused by improper sanitization of certain POST parameters during configuration synchronization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart