CVE-2026-0652
HIGH WAF: High
CVSS 8.8
Published: 2026-02-10
CWE-78
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c260_firmware | up to 1.1.9 |
References
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Vendor Advisory)