What is the CVSS score of CVE-2026-28519?

CVE-2026-28519 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Arduino Tuyaopen are affected by CVE-2026-28519?

Tuya's arduino-TuyaOpen library versions before 1.2.1 contain a heap-based buffer overflow in the DnsServer component that enables remote code execution on IoT and embedded devices from attackers on…. A patch is available.

Arduino Tuyaopen CVE-2026-28519

EUVD-2026-12226 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-03-15 VulnCheck

RCE Buffer Overflow Heap Overflow Arduino Tuyaopen

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:22 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.1

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2026-12226

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:36 nvd

HIGH 8.8

DescriptionNVD

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary code on affected embedded devices.

AnalysisAI

Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.

RemediationAI

Within 24 hours: Identify all deployed IoT devices using Tuya arduino-TuyaOpen library and document current versions. Within 7 days: Upgrade affected devices to version 1.2.1 or later; prioritize devices in critical operational environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28519 vulnerability details – vuln.today

Back

Arduino Tuyaopen CVE-2026-28519

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code