Format String Vulnerability in Tapo C520WS by TP-Link
CVE-2026-6242

6.8MEDIUM

What is CVE-2026-6242?

An authenticated format string vulnerability in the Tapo C520WS v2's ONVIF Subscribe service arises from inadequate management of externally supplied parameters in formatting functions. Attackers can exploit this weakness by crafting format strings in event subscription requests, potentially leading to unexpected termination of the event notification service. This disruption can result in significant issues such as loss of real-time alarm functionalities and interruptions in event notifications.

Affected Version(s)

Tapo C520WS v2 0 < 1.2.6 Build 260528

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.