CVE-2026-6250 HIGH

CVE-2026-6250: Authenticated Format String Injection on TP-Link Tapo C110

Vendor Tp-Link Systems Inc.
Product Tapo C110 v2
Weakness CWE-134
Published June 11, 2026
Last update June 12, 2026

CVSS base score

7.0/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 12, 2026 Record updated