CVE-2026-0651 | THREATINT

Description

On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.

PUBLISHED Reserved 2026-01-06 | Published 2026-02-10 | Updated 2026-02-11 | Assigner TPLink

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

Any version before 1.1.9 Build 251226 Rel.55870n

affected

Credits

spaceraccoon finder

References

www.tp-link.com/us/support/download/tapo-c260/v1/ patch

www.tp-link.com/en/support/download/tapo-c260/v1/ patch

www.tp-link.com/us/support/faq/4960/ vendor-advisory

cve.org (CVE-2026-0651)

nvd.nist.gov (CVE-2026-0651)

Download JSON