Description
A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root.

Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.
Published: 2026-02-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote file disclosure and potential credential compromise
Action: Patch Immediately
AI Analysis

Impact

A path traversal flaw in TP‑Link Tapo devices’ HTTP server causes the server to normalize URLs before fully decoding them and, when normalization fails, fall back to the raw path. This logic allows an attacker to send URL‑encoded traversal sequences that bypass directory restrictions and read files outside the web root, including sensitive system files and credentials. The vulnerability results in confidential data disclosure and potential credential compromise for authenticated users, while unauthenticated users can access non‑sensitive static assets.

Affected Systems

Vendors and product models affected are TP‑Link Systems Inc., specifically the Tapo C260 v1, D235 v1, and C520WS v2.6. No other firmware versions are listed as vulnerable, and the issue appears limited to the current official releases referenced in the vendor’s support links.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability is considered moderate. The EPSS score is below 1 %, indicating a very low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack scenario involves an attacker with local network access who can reach the device’s HTTPS interface; the attacker could supply crafted URL‑encoded traversal sequences that bypass directory restrictions and read files outside the web root. If the device is authenticated, the attacker can obtain sensitive files, but even unauthenticated users may read publicly served assets. Because the flaw is purely logical and does not require exploitation of a separate service, its impact is confined to the device and the local network, making it a localized but potentially damaging threat.

Generated by OpenCVE AI on April 16, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest version (e.g., TP‑Link Tapo C520WS v2.6, C260 v1, or D235 v1) released by the vendor.
  • Restrict or disable the web management interface so that only trusted local hosts can access it.
  • If an immediate firmware update is not available, block the HTTPS port (443) or use firewall rules to limit access to the device’s management interface.

Generated by OpenCVE AI on April 16, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1 and D235 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities. A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N'}

 cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Fri, 13 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities. On TP-Link Tapo C260 v1 and D235 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.
References

Fri, 13 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C260
Tp-link tapo C260 Firmware
CPEs cpe:2.3:h:tp-link:tapo_c260:1:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c260_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C260
Tp-link tapo C260 Firmware
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C260 V1
Vendors & Products Tp-link
Tp-link tapo C260 V1

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.
Title Path Traversal on TP-Link Tapo D235 and C260 via Local https
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N'}

Subscriptions

Tp-link Tapo C260 Tapo C260 Firmware Tapo C260 V1
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-07T14:33:37.831Z

Reserved: 2026-01-06T18:19:00.313Z

Link: CVE-2026-0651

cve-icon Vulnrichment

Updated: 2026-02-11T15:11:22.192Z

cve-icon NVD

Status : Modified

Published: 2026-02-10T18:16:21.977

Modified: 2026-04-02T18:16:26.293

Link: CVE-2026-0651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses