CVE-2026-0652

HIGH
2026-02-10 f23511db-6c3e-4e32-a477-6aa17d310630
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 10, 2026 - 18:16 nvd
HIGH 8.8

Tags

TP-Link Command Injection Tapo C260 Firmware

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

Analysis

Authenticated attackers can execute arbitrary commands on TP-Link Tapo C260 v1 cameras through command injection in POST parameters during configuration synchronization, potentially achieving complete device compromise. The vulnerability stems from insufficient input validation and affects confidentiality, integrity, and availability with no patch currently available.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all TP-Link Tapo C260 v1 devices and isolate them on a restricted network segment with minimal trust relationships. Within 7 days: Contact TP-Link support for patch availability timeline and evaluate camera replacement options if patches are unavailable. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +44
POC: 0

Share

CVE-2026-0652 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy