CVE-2026-34118

Name of the Vulnerable Software and Affected Versions TP-Link Tapo C520WS version 2.6

Description A heap-based buffer overflow exists in the HTTP POST body parsing logic due to insufficient boundary validation and missing validation of remaining buffer capacity after dynamic allocation when handling externally supplied HTTP input. An attacker on the same network segment can trigger heap memory corruption by sending crafted payloads that cause write operations beyond allocated buffer boundaries. This can lead to a Denial-of-Service (DoS) condition, causing the device process to crash or become unresponsive, or potentially enable remote code execution (RCE).

Recommendations Update TP-Link Tapo C520WS version 2.6 to the latest firmware version released by TP-Link. Implement robust input validation on network perimeters and segment devices to reduce exposure.