Command Injection Vulnerability in TP-Link Tapo C260
CVE-2026-0652

8.7HIGH

Key Information:

Vendor: Tp-link Systems Inc.
Status: Tapo C260 V1
Vendor: CVE Published:; 10 February 2026

🔔 Create Tp-link Systems Inc. Vulnerability Alert

What is CVE-2026-0652?

A command injection vulnerability exists in the TP-Link Tapo C260 v1 due to improper sanitization of certain POST parameters during configuration synchronization. This weakness enables authenticated attackers to execute arbitrary system commands, potentially leading to severe impacts on the device's confidentiality, integrity, and availability, resulting in full device compromise.