By vendor
Tp-Link vulnerabilities
Known CVEs affecting Tp-Link products, prioritized by severity, with SEC.co remediation and detection guidance.
3 published vulnerabilities
- CVE-2026-34126HIGH 7.5
TP-Link's Tapo smart home devices—the L535E light strip, P300 smart plug, and D100C chime—send unencrypted Bluetooth data during initial setup. An attacker nearby could intercept this traffic, eavesdrop on setup credentials or configuration, or manipulate the transmitted data to take control of a device while it's being paired. The vulnerability only affects the initialization phase; once setup is complete, Bluetooth is not used. The practical threat depends on physical proximity and whether an attacker is present during a user's setup window, which typically occurs in the home or office.
- CVE-2026-1871MEDIUM 6.5
TP-Link Tapo C200 v5 camera firmware contains a flaw in how it validates incoming RTSP (Real Time Streaming Protocol) authentication requests. An attacker on the local network can send a specially crafted authentication message that overflows a memory buffer, crashing the camera's streaming service and forcing an automatic reboot. During this outage, users cannot view live video or manage the camera remotely. Once the camera restarts, service is restored, but the vulnerability remains exploitable, making repeated attacks feasible.
- CVE-2026-34127MEDIUM 4.8
A stored cross-site scripting (XSS) vulnerability exists in TP-Link's TL-SG108PE v5 managed switch web interface. When an administrator imports a configuration file containing malicious code in the SYSNAM parameter, that code is stored without proper sanitization. The next time an administrator accesses the web management interface, the injected script executes in their browser. This could allow an attacker (who must already have administrator credentials) to steal session cookies, modify switch settings, or extract sensitive information from the management interface.