Description
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
Published: 2026-02-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw caused by inadequate sanitization of certain POST parameters used during configuration synchronization on the TP‑Link Tapo C260 v1. An attacker who can authenticate to the device can supply crafted inputs that are executed as arbitrary system commands, leading to full compromise of the device. The execution of unknown commands would compromise confidentiality, integrity, and availability of the device and any network resources it connects to.

Affected Systems

TP‑Link Systems Inc. offers the Tapo C260 v1, the only product referenced in the vulnerability. No additional versions are listed as affected.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, but the EPSS score of less than 1% shows a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. While specific exploitation steps are not detailed, the description indicates that an authenticated attacker (someone who has logged in or obtained credentials) can send malicious POST requests during configuration synchronization to trigger the command injection. This suggests that remote attackers may exploit the flaw over the network if they can authenticate, making the risk significant for devices exposed to the Internet.

Generated by OpenCVE AI on April 17, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for Tapo C260 v1 from the TP‑Link support site to remove the vulnerable code.
  • Restrict or disable the configuration synchronization feature so that only trusted parties can use it, or enforce IP whitelisting via upstream firewall rules.
  • Implement strict input validation on the device’s POST handler to reject unsanitized data; use the guidance for CWE‑78 to enforce proper sanitization and avoid executing arbitrary command strings.

Generated by OpenCVE AI on April 17, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C260
Tp-link tapo C260 Firmware
CPEs cpe:2.3:h:tp-link:tapo_c260:1:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c260_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C260
Tp-link tapo C260 Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C260 V1
Vendors & Products Tp-link
Tp-link tapo C260 V1

Wed, 11 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
Title Remote Code Execution on TP-Link Tapo C260 by Guest User
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Tp-link Tapo C260 Tapo C260 Firmware Tapo C260 V1
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-02-11T15:10:30.479Z

Reserved: 2026-01-06T18:19:01.813Z

Link: CVE-2026-0652

cve-icon Vulnrichment

Updated: 2026-02-11T15:10:25.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:22.127

Modified: 2026-02-13T20:45:16.673

Link: CVE-2026-0652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses