CVE-2026-6242— Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 | < 1.2.6 Build 260528 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6242
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Source: NVD (National Vulnerability Database)
Vulnerability Description
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution. Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用外部控制的格式字符串
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 | 0 ~ 1.2.6 Build 260528 | - |
II. Public POCs for CVE-2026-6242
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6242
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-6242 (1)
Same Patch Batch · TP-Link Systems Inc. · 2026-06-05 · 6 CVEs total
| CVE-2026-6240 | Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C52 | |
| CVE-2026-6239 | Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520 | |
| CVE-2026-6241 | Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS | |
| CVE-2026-34123 | Whitelist Validation Bypass in TP-Link Tapo C520WS | |
| CVE-2026-8714 | Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link's Tapo C520WS |
IV. Related Vulnerabilities
Same product: Tapo C520WS v2
- CVE-2026-6241
Authenticated Format String Vulnerability in ONVIF AddScopes - CVE-2026-6240
Authenticated Stack-based Buffer Overflow in ONVIF DeleteUse - CVE-2026-6239
Authenticated Stack-based Buffer Overflow in ONVIF CreateUse - CVE-2026-34123
Whitelist Validation Bypass in TP-Link Tapo C520WS - CVE-2026-8714
Denial-of-Service Vulnerability in RTSP Input Handling on TP
Same vendor: TP-Link Systems Inc.
- CVE-2026-6250
Authenticated Format String Injection on TP-Link Tapo C110 - CVE-2026-9151
Command Injection Vulnerability in OpenVPN on Multiple TP-Li - CVE-2026-8913
Command Injection in TP-Link's Archer MR600 WireGuard Client - CVE-2026-6241
Authenticated Format String Vulnerability in ONVIF AddScopes - CVE-2026-6240
Authenticated Stack-based Buffer Overflow in ONVIF DeleteUse
Same weakness: CWE-134
- CVE-2026-12174
D-Link DCS-935L HTTP rhea snprintf format string - CVE-2026-6250
Authenticated Format String Injection on TP-Link Tapo C110 - CVE-2026-6241
Authenticated Format String Vulnerability in ONVIF AddScopes - CVE-2026-50211
Exposed Factory Testing App Boundaries - CVE-2026-7835
Format string argument mismatch
V. Comments for CVE-2026-6242
No comments yet