Detections
Analytics

CVE-2026-0652

high

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

References

https://www.tp-link.com/us/support/faq/4960/

https://www.tp-link.com/us/support/download/tapo-c260/v1/

https://www.tp-link.com/en/support/download/tapo-c260/v1/

Details

Source: Mitre, NVD

Published: 2026-02-10

Updated: 2026-02-13

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Severity: High

EPSS

EPSS: 0.00497