Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
253 vulnerabilities by TP-Link Systems Inc.
CVE-2026-12760 (GCVE-0-2026-12760)
Vulnerability from cvelistv5 – Published: 2026-06-24 18:10 – Updated: 2026-06-24 18:53
VLAI
Title
Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
Summary
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of resources without limits or throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5143/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C200 v3 |
Affected:
0 , < 1.4.4 Build 250922
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T18:53:30.462879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T18:53:46.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"NVMP"
],
"product": "Tapo C200 v3",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.4 Build 250922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arjan Chadha, Keysight Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u0026nbsp; An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.\u003cdiv\u003eSuccessful exploitation can remotely trigger a temporary denial-of-service condition,\u0026nbsp;\u003cspan\u003ecausing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u00a0 An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,\u00a0causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of resources without limits or throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T18:10:49.967Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5143/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-12760",
"datePublished": "2026-06-24T18:10:49.967Z",
"dateReserved": "2026-06-19T21:06:11.577Z",
"dateUpdated": "2026-06-24T18:53:46.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11834 (GCVE-0-2026-11834)
Vulnerability from cvelistv5 – Published: 2026-06-22 17:53 – Updated: 2026-06-23 03:56
VLAI
Title
Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
Summary
A command
injection vulnerability has been identified in the DHCP option processing logic
in multiple TP-Link router models, due to insufficient validation of externally
supplied DHCP option data. An adjacent attacker may exploit this
vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized
command execution during device initialization or provisioning workflows. This
typically occurs when the device is in a factory-default or unconfigured state.
Successful
exploitation may allow an adjacent, unauthenticated attacker to execute
arbitrary commands with elevated privileges, potentially leading to full
compromise of the affected device and unauthorized administrative control.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
7 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer MR200 v07 |
Affected:
0 , < 1.3.0 Build 250605
(custom)
|
|
| TP-Link Systems Inc. | Archer MR200 v8 |
Affected:
0 , < 1.5.0 Build 260605
(custom)
|
|
| TP Link Systems Inc. | Archer MR402 v1 |
Affected:
0 , < 1.5.0 Build 260605
(custom)
|
|
| TP-Link Systems Inc. | Archer VR2100 v1 |
Affected:
0 , < EU_V1_260330
(custom)
|
|
| TP-Link Systems Inc. | Archer C20 v5 |
Affected:
0 , < EU_V5_260317
(custom)
Affected: 0 , < US_V5_260419 (custom) |
|
| TP-Link Systems Inc. | Archer C20 v6 |
Affected:
0 , < V6_260608
(custom)
|
|
| TP-Link Systems Inc. | TL-MR6400 v7 |
Affected:
0 , < 1.7.0 Build 260413
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T03:56:03.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer MR200 v07",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.0 Build 250605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer MR200 v8",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.0 Build 260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer MR402 v1",
"vendor": "TP Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.0 Build 260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer VR2100 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_V1_260330",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C20 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_V5_260317",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "US_V5_260419",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C20 v6",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V6_260608",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TL-MR6400 v7",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.7.0 Build 260413",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matt Graham (mattg.systems)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u0026nbsp;An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control.\u003c/p\u003e"
}
],
"value": "A command\ninjection vulnerability has been identified in the DHCP option processing logic\nin multiple TP-Link router models, due to insufficient validation of externally\nsupplied DHCP option data.\u00a0An adjacent attacker may exploit this\nvulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized\ncommand execution during device initialization or provisioning workflows. This\ntypically occurs when the device is in a factory-default or unconfigured state.\n\n\n\n\n\nSuccessful\nexploitation may allow an adjacent, unauthenticated attacker to execute\narbitrary commands with elevated privileges, potentially leading to full\ncompromise of the affected device and unauthorized administrative control."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T18:25:03.149Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-c20/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-mr402/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-mr200/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-mr6400/v7/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-vr2100/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/archer-c20/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5141/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-11834",
"datePublished": "2026-06-22T17:53:48.436Z",
"dateReserved": "2026-06-09T22:14:54.973Z",
"dateUpdated": "2026-06-23T03:56:03.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11409 (GCVE-0-2026-11409)
Vulnerability from cvelistv5 – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
VLAI
Title
OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N
Summary
An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-wr… | patch |
| https://www.tp-link.com/us/support/download/tl-wr… | patch |
| https://www.tp-link.com/us/support/faq/5131/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-WR940N v6 |
Affected:
0 , < V6_260528
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:56:11.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-WR940N v6",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V6_260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duong Ton Hoang Khang of Sacombank"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
}
],
"value": "An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T21:03:47.128Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5131/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-11409",
"datePublished": "2026-06-16T21:03:47.128Z",
"dateReserved": "2026-06-05T18:37:11.242Z",
"dateUpdated": "2026-06-18T03:56:11.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11410 (GCVE-0-2026-11410)
Vulnerability from cvelistv5 – Published: 2026-06-16 21:03 – Updated: 2026-06-18 03:56
VLAI
Title
OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
Summary
An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-wr… | patch |
| https://www.tp-link.com/us/support/download/tl-wr… | patch |
| https://www.tp-link.com/us/support/faq/5131/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-WR940N v6 |
Affected:
0 , < V6_260528
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:56:12.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-WR940N v6",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V6_260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duong Ton Hoang Khang of Sacombank"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eAn authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.\u003c/div\u003e"
}
],
"value": "An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T21:03:13.733Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5131/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-11410",
"datePublished": "2026-06-16T21:03:13.733Z",
"dateReserved": "2026-06-05T18:37:13.184Z",
"dateUpdated": "2026-06-18T03:56:12.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6250 (GCVE-0-2026-6250)
Vulnerability from cvelistv5 – Published: 2026-06-11 20:46 – Updated: 2026-06-12 15:41
VLAI
Title
Authenticated Format String Injection on TP-Link Tapo C110
Summary
An
authenticated format string vulnerability exists in the ONVIF service of Tapo
C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as
a format string, which can be used to manipulate stack memory, including
control flow data such as return addresses.
A remote
authenticated attacker may redirect execution flow to existing internal
functions, triggering an unauthorized factory reset, leading to loss of
configuration, deletion of stored credentials and service disruption.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C110 v2 |
Affected:
0 , < 1.5.4 Build 260428
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:41:39.052599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:41:58.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C110 v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.4 Build 260428",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u0026nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\u003c/p\u003e\n\n\u003cp\u003eA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.\u003c/p\u003e"
}
],
"value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T20:46:09.672Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5128/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Injection on TP-Link Tapo C110",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6250",
"datePublished": "2026-06-11T20:46:09.672Z",
"dateReserved": "2026-04-13T18:44:25.412Z",
"dateUpdated": "2026-06-12T15:41:58.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9151 (GCVE-0-2026-9151)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:10 – Updated: 2026-06-11 03:55
VLAI
Title
Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers
Summary
An OS
command injection vulnerability exists in the VPN module of TP-Link Archer AX12
v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an
adjacent, authenticated attacker to execute arbitrary commands on the device by
importing a specially crafted VPN client configuration file. The issue stems
from improper filtering of special characters.
Successful
exploitation of this vulnerability may enable an attacker to gain full control
of the affected device, potentially compromising configuration integrity,
network security, and service availability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
5 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer AX12 V1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP-Link Systems Inc. | Archer AX18 v1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP Link Systems Inc. | Archer AX17 v1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP-Link Systems Inc. | Archer AX1300 v1.6 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:33.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"openvpn"
],
"product": "Archer AX12 V1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX18 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX17 v1",
"vendor": "TP Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX1300 v1.6",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Henri Nurmi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability.\u003c/p\u003e"
}
],
"value": "An OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u00a0\n\n\n\n\n\nSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:10:10.842Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax17/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax12/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax18/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5125/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-9151",
"datePublished": "2026-06-10T17:10:10.842Z",
"dateReserved": "2026-05-20T22:32:54.201Z",
"dateUpdated": "2026-06-11T03:55:33.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8913 (GCVE-0-2026-8913)
Vulnerability from cvelistv5 – Published: 2026-06-08 17:21 – Updated: 2026-06-09 03:55
VLAI
Title
Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration
Summary
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/arche… | patch |
| https://www.tp-link.com/jp/support/download/arche… | patch |
| https://www.tp-link.com/us/support/faq/5122/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer MR600 v5 |
Affected:
0 , < EU_V5_1.7.0 0.9.1 260518 rel67803
(custom)
Affected: 0 , < JP_V5_1.2.0 0.9.1 260519 rel52362 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:55:38.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer MR600 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_V5_1.7.0 0.9.1 260518 rel67803",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "JP_V5_1.2.0 0.9.1 260519 rel52362",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Akira Moroo (Ricerca Security, Inc.), Satoki Tsuji (Ricerca Security, Inc.), Anonymous"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.\u003cdiv\u003eSuccessful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.\u003c/div\u003e"
}
],
"value": "A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T17:21:45.936Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-mr600/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/archer-mr600/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5122/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command Injection in TP-Link\u0027s Archer MR600 WireGuard Client Configuration",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-8913",
"datePublished": "2026-06-08T17:21:45.936Z",
"dateReserved": "2026-05-18T23:12:55.471Z",
"dateUpdated": "2026-06-09T03:55:38.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6242 (GCVE-0-2026-6242)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:52 – Updated: 2026-06-08 13:17
VLAI
Title
Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Summary
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.
Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:17:05.938418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:17:15.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.\n\u003cbr\u003eSuccessful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.\n\nSuccessful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:52:36.290Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6242",
"datePublished": "2026-06-05T23:52:36.290Z",
"dateReserved": "2026-04-13T17:10:28.804Z",
"dateUpdated": "2026-06-08T13:17:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6241 (GCVE-0-2026-6241)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:52 – Updated: 2026-06-08 13:06
VLAI
Title
Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS
Summary
An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.
Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:06:09.112804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:06:17.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.\n\u003cbr\u003eSuccessful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.\n\nSuccessful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:52:18.189Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6241",
"datePublished": "2026-06-05T23:52:18.189Z",
"dateReserved": "2026-04-13T17:10:26.104Z",
"dateUpdated": "2026-06-08T13:06:17.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6240 (GCVE-0-2026-6240)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:51 – Updated: 2026-06-08 13:08
VLAI
Title
Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS
Summary
A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.
Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:07:55.306567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:08:05.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.\n\u003cbr\u003eSuccessful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.\n\nSuccessful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:51:39.483Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6240",
"datePublished": "2026-06-05T23:51:39.483Z",
"dateReserved": "2026-04-13T17:10:23.938Z",
"dateUpdated": "2026-06-08T13:08:05.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6239 (GCVE-0-2026-6239)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:50 – Updated: 2026-06-08 13:07
VLAI
Title
Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS
Summary
A stack‑based
buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where
the device fails to properly validate the number of XML user nodes during
request processing. An authenticated attacker can send a specially crafted
ONVIF request containing an excessive number of user entries to trigger memory
corruption.
Successful
exploitation may cause the ONVIF management service to terminate unexpectedly,
resulting in a denial‑of‑service (DoS) condition that disrupts device
configuration and management functions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:07:25.793532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:07:41.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions.\u003c/p\u003e"
}
],
"value": "A stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:59.001Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6239",
"datePublished": "2026-06-05T23:50:59.001Z",
"dateReserved": "2026-04-13T17:10:22.074Z",
"dateUpdated": "2026-06-08T13:07:41.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34123 (GCVE-0-2026-34123)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:50 – Updated: 2026-06-08 13:06
VLAI
Title
Whitelist Validation Bypass in TP-Link Tapo C520WS
Summary
On Tapo
C520WS v2, restricted accounts (for example, hub users) are intended to execute
only a limited set of low‑sensitivity operations. Due to a logic flaw in the
device’s API authorization mechanism, an attacker can craft requests that
leverage legitimate “method mapping” behavior to bypass whitelist restrictions,
allowing restricted operations to be masked as permitted requests and executed.
Successful
exploitation may allow an attacker (with access to a restricted account) to
execute unauthorized sensitive operations.
Depending on the operation invoked, impact could include device
resets, unintended configuration changes, or disruption of normal operation,
leading to loss of availability and integrity of the device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:06:49.208336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:06:57.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute \u003cb\u003eunauthorized sensitive operations.\u0026nbsp;\n\u003c/b\u003eDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device.\u003c/p\u003e"
}
],
"value": "On Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\n\n\n\n\n\nSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute unauthorized sensitive operations.\u00a0\nDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:40.407Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Whitelist Validation Bypass in TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34123",
"datePublished": "2026-06-05T23:50:40.407Z",
"dateReserved": "2026-03-25T18:54:03.343Z",
"dateUpdated": "2026-06-08T13:06:57.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8714 (GCVE-0-2026-8714)
Vulnerability from cvelistv5 – Published: 2026-06-05 16:14 – Updated: 2026-06-05 17:25
VLAI
Title
Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link's Tapo C520WS
Summary
A denial-of-service
vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of
syntactically invalid input. Crafted inputs
can trigger a processing error, causing the RTSP service to enter non-responsive
state.
Successful
exploitation may cause the RTSP in a denial-of-service condition.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5118/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528 Rel.60422n
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T17:24:52.406696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:25:13.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"parent control"
],
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528 Rel.60422n",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eirik Alvheim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA denial-of-service\nvulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of\nsyntactically invalid input.\u0026nbsp; Crafted inputs\ncan trigger a processing error, causing the RTSP service to enter non-responsive\nstate.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may cause the RTSP in a denial-of-service condition.\u003c/p\u003e"
}
],
"value": "A denial-of-service\nvulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of\nsyntactically invalid input.\u00a0 Crafted inputs\ncan trigger a processing error, causing the RTSP service to enter non-responsive\nstate.\n\n\n\n\n\nSuccessful\nexploitation may cause the RTSP in a denial-of-service condition."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:14:28.703Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5118/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link\u0027s Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-8714",
"datePublished": "2026-06-05T16:14:28.703Z",
"dateReserved": "2026-05-15T20:50:58.600Z",
"dateUpdated": "2026-06-05T17:25:13.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1871 (GCVE-0-2026-1871)
Vulnerability from cvelistv5 – Published: 2026-06-02 16:13 – Updated: 2026-06-02 18:24
VLAI
Title
Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200
Summary
TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.
Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C200 v5 |
Affected:
0 , < 1.4.4 Build 260527 Rel.28339n
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:21:22.840412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:24:54.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C200 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.4 Build 260527 Rel.28339n",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sumin Kim (@Shine)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.\n\u003cbr\u003eSuccessful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera\u2019s live video stream or management interface until the service restarts.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.\n\nSuccessful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera\u2019s live video stream or management interface until the service restarts."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:13:36.640Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c200/v5/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c200/v5/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/kr/support/download/tapo-c200/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5113/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-1871",
"datePublished": "2026-06-02T16:13:36.640Z",
"dateReserved": "2026-02-04T00:03:47.430Z",
"dateUpdated": "2026-06-02T18:24:54.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34127 (GCVE-0-2026-34127)
Vulnerability from cvelistv5 – Published: 2026-05-29 18:59 – Updated: 2026-05-29 19:50
VLAI
Title
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Summary
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.
Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/faq/5110/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 |
Affected:
0 , < 1.0.1 Build 260330
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:50:05.541707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:50:18.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-SG108PE v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.1 Build 260330",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Walker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.\u003c/p\u003e"
}
],
"value": "A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u00a0 \u00a0\u00a0\n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:59:14.008Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5110/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link\u0027s TL-SG108PE",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34127",
"datePublished": "2026-05-29T18:59:14.008Z",
"dateReserved": "2026-03-25T18:54:03.344Z",
"dateUpdated": "2026-05-29T19:50:18.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34126 (GCVE-0-2026-34126)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:47 – Updated: 2026-05-28 19:25
VLAI
Title
Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C
Summary
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
An attacker
within the Bluetooth range could exploit this behavior using Bluetooth sniffing
or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth
communication, manipulate transmitted setup data and potentially gain
unauthorized control of the device during initialization.
D100C is the
chime delivered with your Tapo camera, and it is delivered with the following
Tapo products:
D130, D210, D235,
D225, TD21, TDB21 and TD25
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext transmission of sensitive information
Assigner
References
6 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo L535E v1.0, v3.0 |
Affected:
0 , < 1.4.1 Build 251016 Rel.204554
(custom)
|
|
| TP-Link Systems Inc. | Tapo P300 v1.0 |
Affected:
0 , < EU_1.4.2 Build 251219 Rel.142654
(custom)
Affected: 0 , < JP_1.4.0 Build 260416 Rel.014037 (custom) |
|
| TP Link Systems Inc. | Tapo D100C v1.0 |
Affected:
0 , < 1.3.1 Build 260421 Rel.031658
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:58.314711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:25:53.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo L535E v1.0, v3.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.1 Build 251016 Rel.204554",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo P300 v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_1.4.2 Build 251219 Rel.142654",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "JP_1.4.0 Build 260416 Rel.014037",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo D100C v1.0",
"vendor": "TP Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.1 Build 260421 Rel.031658",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "eyegrep and izurina from L Plus LLC"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.\n\u003cbr\u003eAn attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eAn attacker\nwithin the Bluetooth range could exploit this behavior using Bluetooth sniffing\nor man-in-the-middle techniques, which may allow eavesdropping on Bluetooth\ncommunication, manipulate transmitted setup data and potentially gain\nunauthorized control of the device during initialization.\u003c/p\u003e\u003cp\u003eD100C is the\nchime delivered with your Tapo camera, and it is delivered with the following\nTapo products:\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eD130, D210, D235,\nD225, TD21, TDB21 and TD25\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.\n\nAn attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.\u00a0\n\n\nAn attacker\nwithin the Bluetooth range could exploit this behavior using Bluetooth sniffing\nor man-in-the-middle techniques, which may allow eavesdropping on Bluetooth\ncommunication, manipulate transmitted setup data and potentially gain\nunauthorized control of the device during initialization.\n\n\n\nD100C is the\nchime delivered with your Tapo camera, and it is delivered with the following\nTapo products:\n\n\n\n\n\n\n\n\n\nD130, D210, D235,\nD225, TD21, TDB21 and TD25"
}
],
"impacts": [
{
"capecId": "CAPEC-157",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-157 Sniffing Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext transmission of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:47:15.988Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-l535e/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-l535e/v3/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/tapo-p300/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-p300/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/tapo-l535e/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5106/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link\u0027s Tapo L535E, P300 and D100C",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34126",
"datePublished": "2026-05-28T16:47:15.988Z",
"dateReserved": "2026-03-25T18:54:03.343Z",
"dateUpdated": "2026-05-28T19:25:53.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6250 (GCVE-0-2026-6250)
Vulnerability from nvd – Published: 2026-06-11 20:46 – Updated: 2026-06-12 15:41
VLAI
Title
Authenticated Format String Injection on TP-Link Tapo C110
Summary
An
authenticated format string vulnerability exists in the ONVIF service of Tapo
C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as
a format string, which can be used to manipulate stack memory, including
control flow data such as return addresses.
A remote
authenticated attacker may redirect execution flow to existing internal
functions, triggering an unauthorized factory reset, leading to loss of
configuration, deletion of stored credentials and service disruption.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C110 v2 |
Affected:
0 , < 1.5.4 Build 260428
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:41:39.052599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:41:58.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C110 v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.5.4 Build 260428",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juhyeop\u00a0Lee(@juhye0p) of STEALIEN"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u0026nbsp; Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\u003c/p\u003e\n\n\u003cp\u003eA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.\u003c/p\u003e"
}
],
"value": "An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.\u00a0 Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T20:46:09.672Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5128/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Injection on TP-Link Tapo C110",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6250",
"datePublished": "2026-06-11T20:46:09.672Z",
"dateReserved": "2026-04-13T18:44:25.412Z",
"dateUpdated": "2026-06-12T15:41:58.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9151 (GCVE-0-2026-9151)
Vulnerability from nvd – Published: 2026-06-10 17:10 – Updated: 2026-06-11 03:55
VLAI
Title
Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers
Summary
An OS
command injection vulnerability exists in the VPN module of TP-Link Archer AX12
v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an
adjacent, authenticated attacker to execute arbitrary commands on the device by
importing a specially crafted VPN client configuration file. The issue stems
from improper filtering of special characters.
Successful
exploitation of this vulnerability may enable an attacker to gain full control
of the affected device, potentially compromising configuration integrity,
network security, and service availability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
5 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer AX12 V1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP-Link Systems Inc. | Archer AX18 v1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP Link Systems Inc. | Archer AX17 v1 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
|
| TP-Link Systems Inc. | Archer AX1300 v1.6 |
Affected:
0 , < V1_1.5.0 Build 20260605
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:33.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"openvpn"
],
"product": "Archer AX12 V1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX18 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX17 v1",
"vendor": "TP Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer AX1300 v1.6",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "V1_1.5.0 Build 20260605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Henri Nurmi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability.\u003c/p\u003e"
}
],
"value": "An OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u00a0\n\n\n\n\n\nSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:10:10.842Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax17/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax12/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-ax18/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5125/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-9151",
"datePublished": "2026-06-10T17:10:10.842Z",
"dateReserved": "2026-05-20T22:32:54.201Z",
"dateUpdated": "2026-06-11T03:55:33.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8913 (GCVE-0-2026-8913)
Vulnerability from nvd – Published: 2026-06-08 17:21 – Updated: 2026-06-09 03:55
VLAI
Title
Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration
Summary
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/arche… | patch |
| https://www.tp-link.com/jp/support/download/arche… | patch |
| https://www.tp-link.com/us/support/faq/5122/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer MR600 v5 |
Affected:
0 , < EU_V5_1.7.0 0.9.1 260518 rel67803
(custom)
Affected: 0 , < JP_V5_1.2.0 0.9.1 260519 rel52362 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:55:38.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer MR600 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_V5_1.7.0 0.9.1 260518 rel67803",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "JP_V5_1.2.0 0.9.1 260519 rel52362",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Akira Moroo (Ricerca Security, Inc.), Satoki Tsuji (Ricerca Security, Inc.), Anonymous"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.\u003cdiv\u003eSuccessful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.\u003c/div\u003e"
}
],
"value": "A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T17:21:45.936Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-mr600/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/archer-mr600/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5122/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command Injection in TP-Link\u0027s Archer MR600 WireGuard Client Configuration",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-8913",
"datePublished": "2026-06-08T17:21:45.936Z",
"dateReserved": "2026-05-18T23:12:55.471Z",
"dateUpdated": "2026-06-09T03:55:38.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6242 (GCVE-0-2026-6242)
Vulnerability from nvd – Published: 2026-06-05 23:52 – Updated: 2026-06-08 13:17
VLAI
Title
Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Summary
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.
Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:17:05.938418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:17:15.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.\n\u003cbr\u003eSuccessful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.\n\nSuccessful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:52:36.290Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6242",
"datePublished": "2026-06-05T23:52:36.290Z",
"dateReserved": "2026-04-13T17:10:28.804Z",
"dateUpdated": "2026-06-08T13:17:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6241 (GCVE-0-2026-6241)
Vulnerability from nvd – Published: 2026-06-05 23:52 – Updated: 2026-06-08 13:06
VLAI
Title
Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS
Summary
An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.
Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-134 - Use of Externally-Controlled format string
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:06:09.112804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:06:17.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.\n\u003cbr\u003eSuccessful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.\n\nSuccessful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled format string",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:52:18.189Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6241",
"datePublished": "2026-06-05T23:52:18.189Z",
"dateReserved": "2026-04-13T17:10:26.104Z",
"dateUpdated": "2026-06-08T13:06:17.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6240 (GCVE-0-2026-6240)
Vulnerability from nvd – Published: 2026-06-05 23:51 – Updated: 2026-06-08 13:08
VLAI
Title
Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS
Summary
A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.
Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:07:55.306567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:08:05.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.\n\u003cbr\u003eSuccessful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.\n\nSuccessful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:51:39.483Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6240",
"datePublished": "2026-06-05T23:51:39.483Z",
"dateReserved": "2026-04-13T17:10:23.938Z",
"dateUpdated": "2026-06-08T13:08:05.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6239 (GCVE-0-2026-6239)
Vulnerability from nvd – Published: 2026-06-05 23:50 – Updated: 2026-06-08 13:07
VLAI
Title
Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS
Summary
A stack‑based
buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where
the device fails to properly validate the number of XML user nodes during
request processing. An authenticated attacker can send a specially crafted
ONVIF request containing an excessive number of user entries to trigger memory
corruption.
Successful
exploitation may cause the ONVIF management service to terminate unexpectedly,
resulting in a denial‑of‑service (DoS) condition that disrupts device
configuration and management functions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:07:25.793532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:07:41.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions.\u003c/p\u003e"
}
],
"value": "A stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:59.001Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6239",
"datePublished": "2026-06-05T23:50:59.001Z",
"dateReserved": "2026-04-13T17:10:22.074Z",
"dateUpdated": "2026-06-08T13:07:41.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34123 (GCVE-0-2026-34123)
Vulnerability from nvd – Published: 2026-06-05 23:50 – Updated: 2026-06-08 13:06
VLAI
Title
Whitelist Validation Bypass in TP-Link Tapo C520WS
Summary
On Tapo
C520WS v2, restricted accounts (for example, hub users) are intended to execute
only a limited set of low‑sensitivity operations. Due to a logic flaw in the
device’s API authorization mechanism, an attacker can craft requests that
leverage legitimate “method mapping” behavior to bypass whitelist restrictions,
allowing restricted operations to be masked as permitted requests and executed.
Successful
exploitation may allow an attacker (with access to a restricted account) to
execute unauthorized sensitive operations.
Depending on the operation invoked, impact could include device
resets, unintended configuration changes, or disruption of normal operation,
leading to loss of availability and integrity of the device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:06:49.208336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:06:57.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute \u003cb\u003eunauthorized sensitive operations.\u0026nbsp;\n\u003c/b\u003eDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device.\u003c/p\u003e"
}
],
"value": "On Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\n\n\n\n\n\nSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute unauthorized sensitive operations.\u00a0\nDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:40.407Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Whitelist Validation Bypass in TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34123",
"datePublished": "2026-06-05T23:50:40.407Z",
"dateReserved": "2026-03-25T18:54:03.343Z",
"dateUpdated": "2026-06-08T13:06:57.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8714 (GCVE-0-2026-8714)
Vulnerability from nvd – Published: 2026-06-05 16:14 – Updated: 2026-06-05 17:25
VLAI
Title
Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link's Tapo C520WS
Summary
A denial-of-service
vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of
syntactically invalid input. Crafted inputs
can trigger a processing error, causing the RTSP service to enter non-responsive
state.
Successful
exploitation may cause the RTSP in a denial-of-service condition.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5118/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528 Rel.60422n
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T17:24:52.406696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:25:13.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"parent control"
],
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528 Rel.60422n",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eirik Alvheim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA denial-of-service\nvulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of\nsyntactically invalid input.\u0026nbsp; Crafted inputs\ncan trigger a processing error, causing the RTSP service to enter non-responsive\nstate.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may cause the RTSP in a denial-of-service condition.\u003c/p\u003e"
}
],
"value": "A denial-of-service\nvulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of\nsyntactically invalid input.\u00a0 Crafted inputs\ncan trigger a processing error, causing the RTSP service to enter non-responsive\nstate.\n\n\n\n\n\nSuccessful\nexploitation may cause the RTSP in a denial-of-service condition."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T16:14:28.703Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5118/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link\u0027s Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-8714",
"datePublished": "2026-06-05T16:14:28.703Z",
"dateReserved": "2026-05-15T20:50:58.600Z",
"dateUpdated": "2026-06-05T17:25:13.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1871 (GCVE-0-2026-1871)
Vulnerability from nvd – Published: 2026-06-02 16:13 – Updated: 2026-06-02 18:24
VLAI
Title
Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200
Summary
TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.
Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C200 v5 |
Affected:
0 , < 1.4.4 Build 260527 Rel.28339n
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:21:22.840412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:24:54.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C200 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.4 Build 260527 Rel.28339n",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sumin Kim (@Shine)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.\n\u003cbr\u003eSuccessful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera\u2019s live video stream or management interface until the service restarts.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.\n\nSuccessful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera\u2019s live video stream or management interface until the service restarts."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:13:36.640Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c200/v5/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c200/v5/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/kr/support/download/tapo-c200/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5113/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-1871",
"datePublished": "2026-06-02T16:13:36.640Z",
"dateReserved": "2026-02-04T00:03:47.430Z",
"dateUpdated": "2026-06-02T18:24:54.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34127 (GCVE-0-2026-34127)
Vulnerability from nvd – Published: 2026-05-29 18:59 – Updated: 2026-05-29 19:50
VLAI
Title
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
Summary
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.
Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/download/tl-sg… | patch |
| https://www.tp-link.com/us/support/faq/5110/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | TL-SG108PE v5 |
Affected:
0 , < 1.0.1 Build 260330
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:50:05.541707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:50:18.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TL-SG108PE v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.0.1 Build 260330",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Walker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface.\u003c/p\u003e"
}
],
"value": "A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link\u0027s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator\u2019s browser when the\naffected interface is viewed.\u00a0 \u00a0\u00a0\n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:59:14.008Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5110/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link\u0027s TL-SG108PE",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34127",
"datePublished": "2026-05-29T18:59:14.008Z",
"dateReserved": "2026-03-25T18:54:03.344Z",
"dateUpdated": "2026-05-29T19:50:18.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34126 (GCVE-0-2026-34126)
Vulnerability from nvd – Published: 2026-05-28 16:47 – Updated: 2026-05-28 19:25
VLAI
Title
Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C
Summary
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
An attacker
within the Bluetooth range could exploit this behavior using Bluetooth sniffing
or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth
communication, manipulate transmitted setup data and potentially gain
unauthorized control of the device during initialization.
D100C is the
chime delivered with your Tapo camera, and it is delivered with the following
Tapo products:
D130, D210, D235,
D225, TD21, TDB21 and TD25
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext transmission of sensitive information
Assigner
References
6 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo L535E v1.0, v3.0 |
Affected:
0 , < 1.4.1 Build 251016 Rel.204554
(custom)
|
|
| TP-Link Systems Inc. | Tapo P300 v1.0 |
Affected:
0 , < EU_1.4.2 Build 251219 Rel.142654
(custom)
Affected: 0 , < JP_1.4.0 Build 260416 Rel.014037 (custom) |
|
| TP Link Systems Inc. | Tapo D100C v1.0 |
Affected:
0 , < 1.3.1 Build 260421 Rel.031658
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:21:58.314711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:25:53.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo L535E v1.0, v3.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.1 Build 251016 Rel.204554",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo P300 v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "EU_1.4.2 Build 251219 Rel.142654",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "JP_1.4.0 Build 260416 Rel.014037",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"RTOS"
],
"product": "Tapo D100C v1.0",
"vendor": "TP Link Systems Inc.",
"versions": [
{
"lessThan": "1.3.1 Build 260421 Rel.031658",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "eyegrep and izurina from L Plus LLC"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.\n\u003cbr\u003eAn attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eAn attacker\nwithin the Bluetooth range could exploit this behavior using Bluetooth sniffing\nor man-in-the-middle techniques, which may allow eavesdropping on Bluetooth\ncommunication, manipulate transmitted setup data and potentially gain\nunauthorized control of the device during initialization.\u003c/p\u003e\u003cp\u003eD100C is the\nchime delivered with your Tapo camera, and it is delivered with the following\nTapo products:\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eD130, D210, D235,\nD225, TD21, TDB21 and TD25\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.\n\nAn attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.\u00a0\n\n\nAn attacker\nwithin the Bluetooth range could exploit this behavior using Bluetooth sniffing\nor man-in-the-middle techniques, which may allow eavesdropping on Bluetooth\ncommunication, manipulate transmitted setup data and potentially gain\nunauthorized control of the device during initialization.\n\n\n\nD100C is the\nchime delivered with your Tapo camera, and it is delivered with the following\nTapo products:\n\n\n\n\n\n\n\n\n\nD130, D210, D235,\nD225, TD21, TDB21 and TD25"
}
],
"impacts": [
{
"capecId": "CAPEC-157",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-157 Sniffing Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext transmission of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:47:15.988Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-l535e/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-l535e/v3/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/tapo-p300/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-p300/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/jp/support/download/tapo-l535e/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5106/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link\u0027s Tapo L535E, P300 and D100C",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34126",
"datePublished": "2026-05-28T16:47:15.988Z",
"dateReserved": "2026-03-25T18:54:03.343Z",
"dateUpdated": "2026-05-28T19:25:53.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8697 (GCVE-0-2026-8697)
Vulnerability from nvd – Published: 2026-05-28 15:45 – Updated: 2026-05-29 03:55
VLAI
Title
Improper Authentication Rate Limiting on TP-Link's Archer C64
Summary
Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.
Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication bypass using an alternate path or channel
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/en/support/download/arche… | patch |
| https://www.tp-link.com/us/support/faq/5105/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer C64 v1.0 |
Affected:
0 , < 1.15.0 Build 250729 Rel.63489n(4555)
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T03:55:51.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer C64 v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.15.0 Build 250729 Rel.63489n(4555)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tanjim Kamal"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.\n\u003cbr\u003eSuccessful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.\n\nSuccessful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication bypass using an alternate path or channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:45:20.971Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5105/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Authentication Rate Limiting on TP-Link\u0027s Archer C64",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-8697",
"datePublished": "2026-05-28T15:45:20.971Z",
"dateReserved": "2026-05-15T16:35:09.352Z",
"dateUpdated": "2026-05-29T03:55:51.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
JVNDB-2026-000082
Vulnerability from jvndb - Published: 2026-06-05 14:05 - Updated:2026-06-05 14:05
Severity
Summary
Multiple TP-Link products vulnerable to cleartext transmission of sensitive information
Details
Multiple TP-Link products provided by TP-Link Systems Inc. contain the following vulnerability.
- Cleartext transmission of sensitive information (CWE-319) - CVE-2026-34126
References
| Type | URL | |
|---|---|---|
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000082.html",
"dc:date": "2026-06-05T14:05+09:00",
"dcterms:issued": "2026-06-05T14:05+09:00",
"dcterms:modified": "2026-06-05T14:05+09:00",
"description": "Multiple TP-Link products provided by TP-Link Systems Inc. contain the following vulnerability.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/319.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://www.cve.org/CVERecord?id=CVE-2026-34126\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eCleartext transmission of sensitive information (CWE-319) - CVE-2026-34126\u003c/li\u003e\u003c/ul\u003eeyegrep and izurina of L Plus LLC reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000082.html",
"sec:cpe": [
{
"#text": "cpe:/h:misc:tp-link_tapo_d100c",
"@product": "Tapo D100C",
"@vendor": "TP-Link Systems Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:misc:tp-link_tapo_l535e",
"@product": "Tapo L535E",
"@vendor": "TP-Link Systems Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/h:misc:tp-link_tapo_p300",
"@product": "Tapo P300",
"@vendor": "TP-Link Systems Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "6.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000082",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN70631953/index.html",
"@id": "JVN#70631953",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-34126",
"@id": "CVE-2026-34126",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple TP-Link products vulnerable to cleartext transmission of sensitive information"
}