CVE-2026-0652HIGH 8.8EPSS p97.4%

CVE-2026-0652CVE-2026-0652

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS22.76% probability of exploitation · percentile 97.4% · 2026-06-18T12:00:27Z
Published2026-02-10
Last modified2026-02-13

Underlying weaknesses· 1

CWE-78

References

  1. https://www.tp-link.com/en/support/download/tapo-c260/v1/
  2. https://www.tp-link.com/us/support/download/tapo-c260/v1/
  3. https://www.tp-link.com/us/support/faq/4960/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34121
CVE
CVE-2026-0654
CVE
CVE-2026-3841
CVE
CVE-2026-8714
CVE
CVE-2026-22226
CVE
CVE-2026-22222
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.