{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6239","assignerOrgId":"f23511db-6c3e-4e32-a477-6aa17d310630","state":"PUBLISHED","assignerShortName":"TPLink","dateReserved":"2026-04-13T17:10:22.074Z","datePublished":"2026-06-05T23:50:59.001Z","dateUpdated":"2026-06-08T13:07:41.431Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f23511db-6c3e-4e32-a477-6aa17d310630","shortName":"TPLink","dateUpdated":"2026-06-05T23:50:59.001Z"},"title":"Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-121","description":"CWE-121 Stack-based buffer overflow","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-100","descriptions":[{"lang":"en","value":"CAPEC-100 Overflow Buffers"}]}],"affected":[{"vendor":"TP-Link Systems Inc.","product":"Tapo C520WS v2","versions":[{"status":"affected","version":"0","lessThan":"1.2.6 Build 260528","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A stack‑based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial‑of‑service (DoS) condition that disrupts device\nconfiguration and management functions.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>A stack‑based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.</p><p>\n\n</p><p>Successful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial‑of‑service (DoS) condition that disrupts device\nconfiguration and management functions.</p>"}]}],"references":[{"url":"https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes","tags":["patch"]},{"url":"https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes","tags":["patch"]},{"url":"https://www.tp-link.com/us/support/faq/5120/","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":6.8,"vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-08T13:07:25.793532Z","id":"CVE-2026-6239","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-08T13:07:41.431Z"}}]}}