What is the CVSS score of CVE-2026-28521?

CVE-2026-28521 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Arduino Tuyaopen are affected by CVE-2026-28521?

CVE-2026-28521 is a memory read vulnerability in the TuyaIoT component affecting arduino-TuyaOpen library versions before 1.2.1, used in IoT devices connected to Tuya's cloud platform.. A patch is available.

Arduino Tuyaopen CVE-2026-28521

EUVD-2026-12228 HIGH

Out-of-bounds Read (CWE-125)

2026-03-15 VulnCheck

Buffer Overflow Information Disclosure Arduino Tuyaopen

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:22 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.1

EUVD ID Assigned

Mar 15, 2026 - 14:00 euvd

EUVD-2026-12228

Analysis Generated

Mar 15, 2026 - 14:00 vuln.today

CVE Published

Mar 15, 2026 - 13:35 nvd

HIGH 7.7

DescriptionNVD

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.

AnalysisAI

CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. …

RemediationAI

Within 24 hours: Inventory all IoT devices and systems using arduino-TuyaOpen library versions prior to 1.2.1. Within 7 days: Upgrade affected devices to arduino-TuyaOpen 1.2.1 or later; test in non-production environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28521 vulnerability details – vuln.today

Back

Arduino Tuyaopen CVE-2026-28521

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code