CVE-2026-0651

Name of the Vulnerable Software and Affected Versions TP-Link Tapo C260 version v1

Description A flaw exists in the firmware of the TP-Link Tapo C260 IP camera related to incorrect path restriction of the directory path name. Successful exploitation allows a remote attacker to gain unauthorized access to protected information. Specifically, a path traversal issue is present due to improper handling of specific GET request paths via https. An attacker on the local network can determine if certain files exist on the device. No read, write, or code execution possibilities are present. The vulnerable request is sent via the ''https'' protocol.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.