CVE-2026-28520 HIGH

CVE-2026-28520: arduino-TuyaOpen WiFiMulti Single-Byte Buffer Overflow Remote Code Execution

Vendor Tuya
Product arduino-TuyaOpen
Weakness CWE-193
Published March 15, 2026
Last update March 16, 2026

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
March 16, 2026 Record updated