CVE 8.7 HIGH

Remote Code Execution on TP-Link Tapo C260 by Guest User_CVE-2026-0652

February 10, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

AI Analysis

Command injection vulnerability in TP-Link Tapo C260 v1 due to improper sanitization in certain POST parameters during configuration synchronization, allowing an authenticated attacker to execute arbitrary system commands.

Basic Information

ID CVE-2026-0652
Source TPLink
Published Feb 10, 2026 at 17:27

Affected Product

Vendor TP-Link Systems Inc.
Product Tapo C260 v1
Affected Versions TP-Link Systems Inc. Tapo C260 v1 0

CWE Classification

CWE-78

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor TP-Link
Product Tapo C260
Version v1

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.