What is the CVSS score of CVE-2026-28520?

CVE-2026-28520 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Arduino Tuyaopen are affected by CVE-2026-28520?

Arduino-TuyaOpen versions prior to 1.2.1 contain a buffer overflow vulnerability in the WiFiMulti component that enables remote code execution on connected IoT devices through malicious WiFi access…. A patch is available.

Arduino Tuyaopen CVE-2026-28520

EUVD-2026-12227 HIGH

Off-by-one Error (CWE-193)

2026-03-15 VulnCheck

RCE Buffer Overflow Arduino Tuyaopen

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:22 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.1

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2026-12227

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:35 nvd

HIGH 8.4

DescriptionNVD

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

AnalysisAI

Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.

RemediationAI

Within 24 hours: Identify all systems using arduino-TuyaOpen library versions before 1.2.1 and document deployment locations. Within 7 days: Apply vendor patch to upgrade arduino-TuyaOpen to version 1.2.1 or later across all development environments and device firmware builds. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28520 vulnerability details – vuln.today

Back

Arduino Tuyaopen CVE-2026-28520

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code