Vulnerability Details CVE-2026-0651
On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.4%
CVSS Severity
CVSS v3 Score 7.8
References
Products affected by CVE-2026-0651
-
cpe:2.3:h:tp-link:tapo_c260:1
-
cpe:2.3:o:tp-link:tapo_c260_firmware:*