Primary

Context

TP-Link Tapo C260 Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability allowing remote code execution has been identified in the TP-Link Tapo C260 v1 camera. This issue arises from improper sanitization of certain POST parameters during configuration synchronization, which could enable an authenticated attacker to execute arbitrary system commands. The vulnerability has a high impact, potentially leading to full device compromise.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device, with a high impact on the device's overall security and functionality, potentially leading to complete compromise of the device.

Remediation

Users are advised to update to the latest firmware version. Instructions for downloading the update are available on the TP-Link Tapo C260 v1 support page.

Added: Feb 10, 2026, 8:34 PM

Updated: Feb 11, 2026, 2:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TP-Link Tapo C260 Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating