Tp Link Tapo

TLS Cert Validation Flaw Enabling Acceptance of Untrusted Server Identities
CVE-2025-9293 - February 13, 2026

A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data.

Improper Certificate Validation

TP-Link Tapo C260 v1 Path Traversal via HTTPS GET
CVE-2026-0651 - February 10, 2026

On TP-Link Tapo C260 v1 and D235 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files exists on the device, with no read, write or code execution possibilities.

Directory traversal

TP-Link Tapo C260 v1 cmd injection via config sync POST param
CVE-2026-0652 - February 10, 2026

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

Shell injection

Tapo C260 v1 Guest Auth Bypass via Sync Endpoint (CVE-2026-0653)
CVE-2026-0653 - February 10, 2026

On TP-Link Tapo C260 v1 and D235 v1, a guestlevel authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

Authorization

TP-Link Tapo H100/P100 Improper Cert Store CVE-2025-15557
CVE-2025-15557 - February 05, 2026

An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications.  This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations.

Improper Certificate Validation

Tapo C220/C520WS v1/v2: Unauth FW Update DoS via core service termination
CVE-2026-1315 - January 27, 2026

By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.

Improper Input Validation

Tapo Camera HTTP Parser Crash via Long URL => DoS
CVE-2026-0919 - January 27, 2026

The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalidURL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.

Improper Input Validation

Tapo Cameras HTTP Content-Length DOS via Null Pointer
CVE-2026-0918 - January 27, 2026

The Tapo C220 v1 and C520WS v2 cameras HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

NULL Pointer Dereference

Tapo C200 V3 HTTPS ConnectAP Unauth Enables WiFi Config Tampering
CVE-2025-14300 - December 20, 2025

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the devices Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

Missing Authentication for Critical Function

Tapo C200 V3 HTTPS Content-Length Integer Overflow DoS
CVE-2025-14299 - December 20, 2025

The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).

Allocation of Resources Without Limits or Throttling

Buffer Overflow in Tapo C200 V3 ONVIF XML Parser Enables DoS
CVE-2025-8065 - December 20, 2025

A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS).

Resource Exhaustion

TP-Link Tapo C210 V1.8 Mobile App: Unauthenticated API Exposes Password Hashes
CVE-2025-14553 - December 16, 2025

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

Information Disclosure

TP-Link Tapo APK v2.12.703 Hardcoded Credentials Leak
CVE-2023-27098 7.5 - High - January 09, 2024

TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.

Cleartext Storage of Sensitive Information

TP-Link Tapo Pre-3.1.315: Access Control Flaw Exposes Credentials in Plaintext
CVE-2023-34829 6.5 - Medium - December 28, 2023

Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.

Cleartext Transmission of Sensitive Information

TPLink Tapo Replay via Valid Session Key (Prev1.2.4/1.1.0/1.0.4/1.5.0/2.8.14)
CVE-2023-38907 7.5 - High - September 25, 2023

An issue in TPLink Smart Bulb Tapo series L530 before 1.2.4, L510E before 1.1.0, L630 before 1.0.4, P100 before 1.5.0, and Tapo Application 2.8.14 allows a remote attacker to replay old messages encrypted with a still valid session key.

Tapo Pre-7.10 Vault Key Weakness: Fixed Tail Bytes
CVE-2023-43637 7.8 - High - September 21, 2023

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.

Use of Hard-coded Credentials

TP-Link Tapo IoT Devices (1.4.9) UDP Auth Code Disclosure
CVE-2023-38906 6.5 - Medium - August 22, 2023

An issue in TPLink Smart Bulb Tapo series L530 1.1.9, L510E 1.0.8, L630 1.0.3, P100 1.4.9, Smart Camera Tapo series C200 1.1.18, and Tapo Application 2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.