arendst/Tasmota

GitHub

github.com

tasmota.github.io

Releases133

Frequency3 weeks 4 days

Last Release about 1 month ago

Stars24.5K

Alternative firmware for ESP8266 and ESP32 based devices with easy configuration using webUI, OTA updates, automation using timers or rules, expandability and entirely local control over MQTT, HTTP, Serial or KNX. Full documentation at

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-38427 ↗	May 27, 2026Wednesday, 27 May 2026, 14:16	7.3 HIGH	—
An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read.
CVE-2026-38422 ↗	May 27, 2026Wednesday, 27 May 2026, 14:16	7.3 HIGH	—
Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function.
CVE-2026-38426 ↗	May 27, 2026Wednesday, 27 May 2026, 14:16	7.3 HIGH	—
Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the xdrv_10_scripter.ino, fetch_jpg(), jpg_task.boundary[40], strcpy() function.
CVE-2021-36603 ↗	Jan 9, 2023Monday, 9 January 2023, 21:15	6.1 MEDIUM	—
Cross Site Scripting (XSS) in Tasmota firmware 6.5.0 allows remote attackers to inject JavaScript code via a crafted string in the field "Friendly Name 1".
CVE-2022-43294 ↗	Nov 14, 2022Monday, 14 November 2022, 22:15	9.8 CRITICAL	—
Tasmota before commit 066878da4d4762a9b6cb169fdf353e804d735cfd was discovered to contain a stack overflow via the ClientPortPtr parameter at lib/libesp32/rtsp/CRtspSession.cpp.