Tasmota CVE-2026-38422
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function.
AnalysisAI
Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.
Technical ContextAI
Tasmota is an open-source firmware widely deployed on ESP8266/ESP32 microcontrollers for smart-home and IoT devices, providing MQTT, HTTP, and a built-in rule/scripting engine. The vulnerable code lives in the optional Scripter driver (xdrv_10_scripter.ino), specifically the fetch_jpg() helper that downloads JPEG content over HTTP for use inside user scripts. CWE-121 (Stack-Based Buffer Overflow) identifies the root cause: a fixed-size stack buffer is written without proper length validation against attacker-influenced input, allowing the stack frame - including saved return addresses on the ESP architecture - to be corrupted. Because Tasmota firmware images are statically linked with limited mitigations on ESP targets (no ASLR, no canaries in stock builds), stack corruption is a realistic path to arbitrary code execution on the device.
Affected ProductsAI
The affected product is Tasmota firmware (arendst/Tasmota) version 15.3.0.3 and all earlier releases, with the vulnerable code in tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino on the development branch (https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino). No CPE strings were provided in the input data, and no separate vendor advisory was supplied beyond the upstream GitHub repository at https://github.com/arendst/Tasmota; downstream device builds that include the Scripter driver (a compile-time option commonly enabled in tasmota32-script and similar variants) inherit the flaw.
RemediationAI
No vendor-released patched version is cited in the provided references, so treat this as: released patched version not independently confirmed - track the upstream repository at https://github.com/arendst/Tasmota for a release after 15.3.0.3 and rebuild/flash affected devices once available. Until a fixed release is published, the most effective compensating control is to build or flash a Tasmota image that omits the Scripter driver (remove USE_SCRIPT from user_config_override.h), which fully eliminates the vulnerable fetch_jpg() code path at the cost of losing in-device scripting; if scripting must remain enabled, avoid scripts that invoke fetch_jpg() against untrusted URLs and restrict outbound HTTP from the device by network policy. Network-layer mitigations - placing Tasmota devices on an isolated VLAN, blocking arbitrary outbound HTTP from IoT segments, and restricting management access to trusted hosts - reduce exposure but do not remove the underlying stack overflow, and may break legitimate cloud/MQTT integrations.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today