Arduino Tuyaopen
Monthly
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.