CVE-2026-28521

HIGH 7.7

arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.

CWE	CWE-125
Vendor	tuya
Product	arduino-tuyaopen
Published	Mar 15, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for tuya arduino-tuyaopen

Be the first to know when new high vulnerabilities affecting tuya arduino-tuyaopen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Affected Versions

Tuya / arduino-TuyaOpen

0 < 1.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

src.tuya.com: https://src.tuya.com/announcement/32 github.com: https://github.com/tuya/arduino-TuyaOpen vulncheck.com: https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure

Credits

Maxime ROSSI BELLOM