{"id":76853,"date":"2026-02-10T20:57:31","date_gmt":"2026-02-10T17:27:31","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-0653-insecure-access-control-on-tp-link-tapo-d235-and-c260\/"},"modified":"2026-02-10T20:57:31","modified_gmt":"2026-02-10T17:27:31","slug":"cve-2026-0653-insecure-access-control-on-tp-link-tapo-d235-and-c260","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-0653-insecure-access-control-on-tp-link-tapo-d235-and-c260\/","title":{"rendered":"CVE-2026-0653 &#8211; Insecure Access Control on TP-Link Tapo D235 and C260"},"content":{"rendered":"<p>CVE ID : CVE-2026-0653<\/p>\n<p>Published :  Feb. 10, 2026, 5:27 p.m. | 54\u00a0minutes ago<\/p>\n<p>Description : On TP-Link Tapo C260 v1, a\u00a0guest\u2011level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.<\/p>\n<p>Severity: 7.2 | HIGH<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-0653 Published : Feb. 10, 2026, 5:27 p.m. | 54\u00a0minutes ago Description : On TP-Link Tapo C260 v1, a\u00a0guest\u2011level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-76853","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=76853"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76853\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=76853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=76853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=76853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}