CVE-2026-0651

HIGH

TP-Link Tapo C260 v1, D235 v1, C520WS v2.6 - Path Traversal via URL-Encoded GET Requests

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-0651. PoCs published by XiaomingX, l0lsec.

AI-analyzed exploit summary This repository contains a functional exploit chain for TP-Link Tapo C260 cameras, chaining three vulnerabilities (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653) to achieve unauthenticated-to-root RCE. The exploit leverages path traversal for local file disclosure, arbitrary config write via JSON key manipulation, and command injection through unsanitized input in a popen() call.

Description

A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-0651

This repository contains a functional exploit chain for TP-Link Tapo C260 cameras, chaining three vulnerabilities (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653) to achieve unauthenticated-to-root RCE. The exploit leverages path traversal for local file disclosure, arbitrary config write via JSON key manipulation, and command injection through unsanitized input in a popen() call.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link Tapo C260 (pre-patch firmware)
No auth needed
Prerequisites: Network access to the camera or valid TP-Link cloud auth token · Guest-level credentials sufficient for full chain
devstral-2 · analyzed Mar 07, 2026 Full analysis →
nomisec WORKING POC
by l0lsec · poc
https://github.com/l0lsec/tapo-c260-rce

This repository contains a functional exploit chain for TP-Link Tapo C260 IP cameras, chaining three vulnerabilities (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653) to achieve unauthenticated-to-root RCE. The exploit leverages path traversal, arbitrary config write, and command injection via unsanitized input in a popen() call.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link Tapo C260 (pre-patch firmware)
No auth needed
Prerequisites: Network access to the camera or valid TP-Link cloud auth token · Guest-level credentials sufficient for full chain
devstral-2 · analyzed Mar 07, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 7.8
EPSS 0.0030
EPSS Percentile 21.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (4)
TP Link Systems Inc./Tapo C520WS v2.6 < 1.2.4 Build 260326 Rel.24666n
tp-link/tapo_c260_firmware < 1.1.9
TP-Link Systems Inc./Tapo C260 v1 < 1.1.9 Build 251226 Rel.55870n
TP-Link Systems Inc./Tapo D235 v1 < 1.2.2 Build 260210 Rel.27165n
Published Feb 10, 2026
Tracked Since Feb 18, 2026