What is CVE-2026-28519?

CVE-2026-28519 is a high-severity vulnerability in Tuya Arduino-tuyaopen, classified under Heap-based Buffer Overflow. CVSS score: 8.8/10. Published 2026-03-15.

How severe is CVE-2026-28519?

High severity. CVSS v3 base score is 8.8 out of 10.

Buffer overflow in Tuya Arduino-tuyaopen

CVE-2026-28519

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow t…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (0.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Tuya Arduino-tuyaopen — versions 0

Weakness classification (CWE)

CWE-122 — Heap-based Buffer Overflow

References

Tuya SRC Security Advisory (vendor-advisory)
arduino-TuyaOpen GitHub Repository (product)
VulnCheck Advisory: arduino-TuyaOpen DnsServer Heap-Based Buffer Overflow Remote Code Execution (third-party-advisory)

Frequently asked questions

What is CVE-2026-28519?: CVE-2026-28519 is a high-severity vulnerability in Tuya Arduino-tuyaopen, classified under Heap-based Buffer Overflow. CVSS score: 8.8/10. Published 2026-03-15.
How severe is CVE-2026-28519?: High severity. CVSS v3 base score is 8.8 out of 10.