CVE-2026-0651 (GCVE-0-2026-0651)
Vulnerability from cvelistv5
Published
2026-02-10 17:27
Modified
2026-04-07 14:33
Severity ?
6.9 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.
References
Impacted products
Vendor Product Version
TP-Link Systems Inc. Tapo C260 v1 Version: 0   < 1.1.9 Build 251226 Rel.55870n
 Create a notification for this product.
   TP-Link Systems Inc. Tapo D235 v1 Version: 0   < 1.2.2 Build 260210 Rel.27165n
 Create a notification for this product.
   TP Link Systems Inc. Tapo C520WS v2.6 Version: 0   < 1.2.4 Build 260326 Rel.24666n
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:11:14.603427Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:33:37.831Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Tapo C260 v1",
          "vendor": "TP-Link Systems Inc.",
          "versions": [
            {
              "lessThan": "1.1.9 Build 251226 Rel.55870n",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Tapo D235 v1",
          "vendor": "TP-Link Systems Inc.",
          "versions": [
            {
              "lessThan": "1.2.2 Build 260210 Rel.27165n",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Tapo C520WS v2.6",
          "vendor": "TP Link Systems Inc.",
          "versions": [
            {
              "lessThan": "1.2.4 Build 260326 Rel.24666n",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "spaceraccoon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server\u2019s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. \n\u003cbr\u003eSuccessful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.\u0026nbsp;\u003cbr\u003e"
            }
          ],
          "value": "A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server\u2019s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. \n\nSuccessful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T17:26:18.757Z",
        "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "shortName": "TPLink"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/us/support/download/tapo-c260/v1/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/en/support/download/tapo-c260/v1/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.tp-link.com/us/support/faq/4960/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/en/support/download/tapo-d235/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Path Traversal on TP-Link Tapo D235 and C260 via Local https",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
    "assignerShortName": "TPLink",
    "cveId": "CVE-2026-0651",
    "datePublished": "2026-02-10T17:27:51.942Z",
    "dateReserved": "2026-01-06T18:19:00.313Z",
    "dateUpdated": "2026-04-07T14:33:37.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0651\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-11T15:11:14.603427Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-11T15:11:22.192Z\"}}], \"cna\": {\"title\": \"Path Traversal on TP-Link Tapo D235 and C260 via Local https\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"spaceraccoon\"}], \"impacts\": [{\"capecId\": \"CAPEC-126\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-126 Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"TP-Link Systems Inc.\", \"product\": \"Tapo C260 v1\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.1.9 Build 251226 Rel.55870n\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"TP-Link Systems Inc.\", \"product\": \"Tapo D235 v1\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.2.2 Build 260210 Rel.27165n\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"TP Link Systems Inc.\", \"product\": \"Tapo C520WS v2.6\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.2.4 Build 260326 Rel.24666n\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.tp-link.com/us/support/download/tapo-c260/v1/\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/en/support/download/tapo-c260/v1/\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/us/support/faq/4960/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.tp-link.com/en/support/download/tapo-d235/\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/us/support/download/tapo-c520ws/\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/en/support/download/tapo-c520ws/\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server\\u2019s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. \\n\\nSuccessful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server\\u2019s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. \\n\u003cbr\u003eSuccessful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.\u0026nbsp;\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f23511db-6c3e-4e32-a477-6aa17d310630\", \"shortName\": \"TPLink\", \"dateUpdated\": \"2026-04-02T17:26:18.757Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-0651\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-07T14:33:37.831Z\", \"dateReserved\": \"2026-01-06T18:19:00.313Z\", \"assignerOrgId\": \"f23511db-6c3e-4e32-a477-6aa17d310630\", \"datePublished\": \"2026-02-10T17:27:51.942Z\", \"assignerShortName\": \"TPLink\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.