CVE-2026-0652

HIGH

Tp-link Tapo C260 Firmware < 1.1.9 - OS Command Injection

Title source: rule

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0016
EPSS Percentile 37.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-78
Status published

Affected Products (1)

tp-link/tapo_c260_firmware < 1.1.9

Timeline

Published Feb 10, 2026
Tracked Since Feb 18, 2026