CVE-2026-0651
Published: 10 February 2026
Summary
CVE-2026-0651 is a high-severity Path Traversal (CWE-22) vulnerability in Tp-Link Tapo C260 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the path traversal flaw through timely application of TP-Link firmware updates.
Prevents exploitation by mandating validation of HTTP GET request inputs to detect and reject crafted URL-encoded path traversal sequences before path normalization.
Limits damage from successful path traversal by enforcing least privilege on the HTTP server process, restricting access to sensitive system files outside the web root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal directly enables reading arbitrary local files (T1005) including credential stores (T1552.001) outside the web root via crafted GET requests.
NVD Description
A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the…
more
raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.
Deeper analysisAI
CVE-2026-0651 is a path traversal vulnerability (CWE-22) affecting the HTTP server in TP-Link Tapo C260 v1, D235 v1, and C520WS v2.6 devices. The issue arises during handling of GET requests, where the server performs path normalization before fully decoding URL-encoded input and falls back to the raw path if normalization fails. This logic flaw allows attackers to supply crafted, URL-encoded traversal sequences that bypass directory restrictions, enabling access to files outside the intended web root. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-10.
Attackers with low privileges (PR:L) and local access (AV:L) can exploit this vulnerability. Authenticated attackers may achieve disclosure of sensitive system files and credentials, while unauthenticated attackers can access non-sensitive static assets. Exploitation requires crafting specific URL-encoded payloads to manipulate path handling and evade normalization checks.
TP-Link advisories provide firmware download pages for the affected devices, including Tapo C260 v1 (https://www.tp-link.com/en/support/download/tapo-c260/v1/ and https://www.tp-link.com/us/support/download/tapo-c260/v1/), Tapo D235 v1 (https://www.tp-link.com/en/support/download/tapo-d235/), and Tapo C520WS v2.6 (https://www.tp-link.com/en/support/download/tapo-c520ws/ and https://www.tp-link.com/us/support/download/tapo-c520ws/). Security practitioners should apply the latest firmware updates from these sources to mitigate the vulnerability.
Details
- CWE(s)