CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-6250

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.002

EPSS Ranking 11.1%

CVSS Severity

CVSS v3 Score 8.1

References

https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes
https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes
https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes
https://www.tp-link.com/us/support/faq/5128/

Products affected by CVE-2026-6250

Tp-Link » Tapo C110 » Version: 2.0

cpe:2.3:h:tp-link:tapo_c110:2.0
Tp-Link » Tapo C110 Firmware » Version: Any

cpe:2.3:o:tp-link:tapo_c110_firmware:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-6250

Products

Pricing

Contact Us