CVE-2026-6242— Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 | < 1.2.6 Build 260528 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6242
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Source: NVD (National Vulnerability Database)
Vulnerability Description
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution. Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用外部控制的格式字符串
Source: NVD (National Vulnerability Database)
Vulnerability Title
TP-Link Tapo C520WS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TP-Link Tapo C520WS是中国普联(TP-Link)公司的一个WiFi摄像头。 TP-Link Tapo C520WS v2版本存在安全漏洞,该漏洞源于ONVIF Subscribe服务中格式字符串漏洞,外部提供的参数处理不当,可能导致经过身份验证的攻击者注入特制格式字符串,造成事件通知服务终止,导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 | 0 ~ 1.2.6 Build 260528 | - |
II. Public POCs for CVE-2026-6242
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6242
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-6242 (1)
Same Patch Batch · TP-Link Systems Inc. · 2026-06-05 · 6 CVEs total
| CVE-2026-6240 | Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C52 | |
| CVE-2026-6239 | Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520 | |
| CVE-2026-6241 | Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS | |
| CVE-2026-34123 | Whitelist Validation Bypass in TP-Link Tapo C520WS | |
| CVE-2026-8714 | Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link's Tapo C520WS |
IV. Related Vulnerabilities
Same product: Tapo C520WS v2
- CVE-2026-6241
Authenticated Format String Vulnerability in ONVIF AddScopes - CVE-2026-6240
Authenticated Stack-based Buffer Overflow in ONVIF DeleteUse - CVE-2026-6239
Authenticated Stack-based Buffer Overflow in ONVIF CreateUse - CVE-2026-34123
Whitelist Validation Bypass in TP-Link Tapo C520WS - CVE-2026-8714
Denial-of-Service Vulnerability in RTSP Input Handling on TP
Same vendor: TP-Link Systems Inc.
- CVE-2026-11409
OS Command Injection in IPv6 PPPoE Configuration in TP-Link - CVE-2026-11410
OS Command Injection in BigPond Cable (BPA) Configuration in - CVE-2026-6250
Authenticated Format String Injection on TP-Link Tapo C110 - CVE-2026-9151
Command Injection Vulnerability in OpenVPN on Multiple TP-Li - CVE-2026-8913
Command Injection in TP-Link's Archer MR600 WireGuard Client
Same weakness: CWE-134
V. Comments for CVE-2026-6242
No comments yet