CVE-2026-0652

EUVD-2026-7069
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Affected Products (NVD)
VendorProductVersion
tp-linktapo_c260_firmware
𝑥
< 1.1.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.tp-link.com/en/support/download/tapo-c260/v1/
https://www.tp-link.com/us/support/download/tapo-c260/v1/
https://www.tp-link.com/us/support/faq/4960/