{"cve":{"cve_id":"CVE-2026-6250","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00463,"epss_percentile":0.36588,"epss_as_of":"2026-06-23","description":"An\nauthenticated format string vulnerability exists in the ONVIF service of Tapo\nC110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as\na format string, which can be used to manipulate stack memory, including\ncontrol flow data such as return addresses.\n\n\n\n\n\nA remote\nauthenticated attacker may redirect execution flow to existing internal\nfunctions, triggering an unauthorized factory reset, leading to loss of\nconfiguration, deletion of stored credentials and service disruption.","published_at":"2026-06-11T20:46:09.672000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":7.0,"cvss_v4_vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N","cvss_v4_severity":"HIGH","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-134"],"nvd_references":["https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes","https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes","https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes","https://www.tp-link.com/us/support/faq/5128/"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:31:00.922472Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"A","value_label":"Adjacent"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"H","value_label":"High"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"N","value_label":"None"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"tp-link-systems-inc.","vendor_name":"TP-Link Systems Inc.","product_slug":"tapo-c110-v2","product_name":"Tapo C110 v2","version_start":"0","version_start_inclusive":true,"version_end":"1.5.4 Build 260428","version_end_inclusive":false,"cpe23_uri":"cve5:tp-link-systems-inc.:tapo-c110-v2:0:1.5.4 Build 260428"}],"exploit_refs":[],"news":[],"references":[{"url":"https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes","source_type":"MISC","tags":[]},{"url":"https://www.tp-link.com/en/support/download/tapo-c110/v2/#Firmware-Release-Notes","source_type":"MISC","tags":[]},{"url":"https://www.tp-link.com/kr/support/download/tapo-c110/v2/#Firmware-Release-Notes","source_type":"MISC","tags":[]},{"url":"https://www.tp-link.com/us/support/faq/5128/","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-11T20:46:09.672000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:56:01.087206Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:56:01.087206Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:56:01.087206Z","label":"CVSS score revised","source":"cvelistv5"}]}