Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.
AnalysisAI
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim's Arduino device running arduino-TuyaOpen before 1.2.1 must connect to attacker-controlled WiFi access point broadcasting crafted SSID payload targeting WiFiMulti component. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the high CVSS score (8.4), the real-world risk presents contradictions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sets up a malicious WiFi access point mimicking a legitimate network name. When a vulnerable smart device attempts to connect to this AP through the WiFiMulti component, the attacker sends specially crafted data that triggers the single-byte buffer overflow, allowing arbitrary code execution on the embedded device. … |
| Remediation | Update arduino-TuyaOpen to version 1.2.1 or later, which contains the fix for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems using arduino-TuyaOpen library versions before 1.2.1 and document deployment locations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Arduino Tuyaopen
View allHeap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versio
Arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in its WiFiUDP component that al
Same weakness CWE-193 – Off-by-one Error
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12227