CVE-2026-0651 – Path Traversal on TP-Link Tapo D235 and C260 via Local https

CVE ID : CVE-2026-0651

Published : Feb. 10, 2026, 5:27 p.m. | 54 minutes ago

Description : On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…