QwikSec

Security Database

CVE

CWE

Training

CVE-2026-0652

Published: Feb 10, 2026

Modified: Feb 11, 2026

PUBLISHED

Description

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

Vendor	Product	Versions
TP-Link Systems Inc.	Tapo C260 v1	affected `0 - < 1.1.9 Build 251226 Rel.55870n`

Weaknesses (CWE)

References

https://www.tp-link.com/us/support/download/tapo-c260/v1/

patch

https://www.tp-link.com/en/support/download/tapo-c260/v1/

patch

https://www.tp-link.com/us/support/faq/4960/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.