Tapo
by TP-Link
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-9293 | Hig | 0.53 | 8.1 | 0.00 | Feb 13, 2026 | A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position… | ||
| CVE-2025-9292 | Hig | 0.49 | 7.5 | 0.00 | Feb 13, 2026 | A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web… | ||
| CVE-2025-14553 | Hig | 0.46 | — | 0.00 | Dec 16, 2025 | Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains… | ||
| CVE-2025-4975 | Med | 0.31 | — | 0.00 | May 22, 2025 | When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device. | ||
| CVE-2024-31340 | Med | 0.31 | 4.8 | 0.00 | May 22, 2024 | TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prior to 3.3.6 do not properly validate certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | ||
| CVE-2023-27098 | 0.00 | — | 0.00 | Jan 9, 2024 | TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel. | |||
| CVE-2023-34829 | 0.00 | — | 0.00 | Dec 28, 2023 | Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext. |
- risk 0.53cvss 8.1epss 0.00
A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position…
- risk 0.49cvss 7.5epss 0.00
A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web…
- risk 0.46cvss —epss 0.00
Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains…
- risk 0.31cvss —epss 0.00
When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.
- risk 0.31cvss 4.8epss 0.00
TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prior to 3.3.6 do not properly validate certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack.
- CVE-2023-27098Jan 9, 2024risk 0.00cvss —epss 0.00
TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.
- CVE-2023-34829Dec 28, 2023risk 0.00cvss —epss 0.00
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.