Tp Link Tapo

DoS via HTTP Path Normalization in TP-Link Tapo C520WS v2.6
CVE-2026-34124 - April 02, 2026

A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.

Classic Buffer Overflow

TP-Link Tapo C520WS v2.6 Stack Buffer Overflow in Config Handling
CVE-2026-34122 - April 02, 2026

A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow. Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability.

Stack Overflow

TP-Link Tapo C520WS 2.6 Auth Bypass in DS Config HTTP
CVE-2026-34121 - April 02, 2026

An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.

authentification

Heap Buffer Overflow in TP-Link Tapo C520WS v2.6 Causing DoS
CVE-2026-34120 - April 02, 2026

A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries.  Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive.

Heap-based Buffer Overflow

TP-Link Tapo C520WS v2.6 HTTP parse heap overflow DoS
CVE-2026-34119 - April 02, 2026

A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP parsing loop when appending segmented request bodies without continuous writeboundary verification, due to insufficient boundary validation when handling externally supplied HTTP input.  An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries.  Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive.

Heap-based Buffer Overflow

TP-Link Tapo C520WS v2.6 Heap Buffer Overflow in HTTP POST Parsing (DoS)
CVE-2026-34118 - April 02, 2026

A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when handling externally supplied HTTP input.  An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries.  Successful exploitation causes a Denial-of-Service (DoS) condition, causing the devices process to crash or become unresponsive.

Heap-based Buffer Overflow

TLS Cert Validation Flaw Enabling Acceptance of Untrusted Server Identities
CVE-2025-9293 - February 13, 2026

A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data.

Improper Certificate Validation

TP-Link Tapo C260 v1 Path Traversal via HTTPS GET
CVE-2026-0651 - February 10, 2026

A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP servers handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.

Directory traversal

TP-Link Tapo C260 v1 cmd injection via config sync POST param
CVE-2026-0652 - February 10, 2026

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.

Shell injection

Tapo C260 v1 Guest Auth Bypass via Sync Endpoint (CVE-2026-0653)
CVE-2026-0653 - February 10, 2026

On TP-Link Tapo C260 v1 and D235 v1, a guestlevel authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

Authorization

TP-Link Tapo H100/P100 Improper Cert Store CVE-2025-15557
CVE-2025-15557 - February 05, 2026

An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications.  This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations.

Improper Certificate Validation

Tapo C220/C520WS v1/v2: Unauth FW Update DoS via core service termination
CVE-2026-1315 - January 27, 2026

By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.

Improper Input Validation

Tapo Camera HTTP Parser Crash via Long URL => DoS
CVE-2026-0919 - January 27, 2026

The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalidURL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.

Improper Input Validation

Tapo Cameras HTTP Content-Length DOS via Null Pointer
CVE-2026-0918 - January 27, 2026

The Tapo C220 v1 and C520WS v2 cameras HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

NULL Pointer Dereference

Tapo C200 V3 HTTPS ConnectAP Unauth Enables WiFi Config Tampering
CVE-2025-14300 - December 20, 2025

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the devices Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

Missing Authentication for Critical Function

Tapo C200 V3 HTTPS Content-Length Integer Overflow DoS
CVE-2025-14299 - December 20, 2025

The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).

Allocation of Resources Without Limits or Throttling

Buffer Overflow in Tapo C200 V3 ONVIF XML Parser Enables DoS
CVE-2025-8065 - December 20, 2025

A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.

Stack Overflow

TP-Link Tapo C210 V1.8 Mobile App: Unauthenticated API Exposes Password Hashes
CVE-2025-14553 - December 16, 2025

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

Information Disclosure

TP-Link Tapo APK v2.12.703 Hardcoded Credentials Leak
CVE-2023-27098 7.5 - High - January 09, 2024

TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.

Cleartext Storage of Sensitive Information

TP-Link Tapo Pre-3.1.315: Access Control Flaw Exposes Credentials in Plaintext
CVE-2023-34829 6.5 - Medium - December 28, 2023

Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.

Cleartext Transmission of Sensitive Information

TPLink Tapo Replay via Valid Session Key (Prev1.2.4/1.1.0/1.0.4/1.5.0/2.8.14)
CVE-2023-38907 7.5 - High - September 25, 2023

An issue in TPLink Smart Bulb Tapo series L530 before 1.2.4, L510E before 1.1.0, L630 before 1.0.4, P100 before 1.5.0, and Tapo Application 2.8.14 allows a remote attacker to replay old messages encrypted with a still valid session key.

Tapo Pre-7.10 Vault Key Weakness: Fixed Tail Bytes
CVE-2023-43637 7.8 - High - September 21, 2023

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.

Use of Hard-coded Credentials

TP-Link Tapo IoT Devices (1.4.9) UDP Auth Code Disclosure
CVE-2023-38906 6.5 - Medium - August 22, 2023

An issue in TPLink Smart Bulb Tapo series L530 1.1.9, L510E 1.0.8, L630 1.0.3, P100 1.4.9, Smart Camera Tapo series C200 1.1.18, and Tapo Application 2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.