An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a malformed allocation length vulnerability which leads to denial of service. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2025-0918. Vulnerability Details In the HTTP Server implementation of TAPO devices, the http_recv_block function (in the main binary) is used to retrieve HTTP packets from the network into memory. It accepts a pointer to a buffer and the size of said buffer as parameters, and copies the HTTP content into this buffer.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a malformed allocation length vulnerability which leads to denial of service. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2025-14299. Vulnerability Details This vulnerability is very similar to CVE-2025-0918, it is found in the same logic in the same function. In the HTTP Server implementation of TAPO devices, the http_recv_block function (in the main binary) is used to retrieve HTTP packets from the network into memory.

An attacker sending a malformed ONVIF request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a stack buffer overflow, which leads to pre-auth remote code execution via LAN or WAN (through browser). The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory originally released in December 2026 and updated in April 2026 contains this vulnerability as CVE-2025-8065. Vulnerability Details In the ONVIF stack there is a bug in the SOAP parser in the soap_rearrange_tag function. soap_rearrange_tag(char* src_tag, char* dst_tag) { char ns[16]; // .

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a path traversal which can lead to leaking secrets. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in January 2026 and updated in April 2026 contains this vulnerability as CVE-2026-0651. Vulnerability Details We identified a path traversal vulnerability in the way te HTTP server of TAPO devices handles GET requests. The parser only gives access to specific directories without authentication.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34118. Vulnerability Details In the HTTP Server implementation of TAPO devices, the http_recv_block function (within the main binary) is used to retrieve HTTP packets from the network into memory. It accepts a pointer to a buffer and the size of said buffer as parameters, and copies the HTTP content into this buffer.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34119. Vulnerability Details another overflow similar to CVE-2026-34118 was present within the main HTTP parser function. This vulnerability can be triggered when more than one receive is required to read the full contents of the body.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34120. Vulnerability Details In the HTTP Server implementation of TAPO devices, another overflow similar to CVE-2026-34118 is present in http_read_content_asyn. This gets called repeatedly, e.g. if new data arrived on a read that timed out.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes an authentication bypass vulnerability in the HTTP server implementation. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34121. Vulnerability Details In the TAPO architecture, the DS module of the HTTP server running on the device is used for storing persistent configurations (]and other, dynamically generated content and also for performing actions on the device.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a stack buffer overflow, which leads to denial of service and may potentially lead to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34124. Vulnerability Details We identified a stack buffer overflow vulnerability in the way te HTTP server of TAPO devices handles GET requests. http_parser() { path = .

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes an authentication bypass vulnerability in the HTTP server implementation. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released was promised to be released in April 2026 after several delays, but this did not happen, without the vendor providing any explanation. Vulnerability Details The TAPO architecture can authenticate different account roles, one of them is the hub user. A whitelist introduced in recent builds (2025) limits this role to a few less sensitive actions.