Back to overview

CVE-2026-13230

MEDIUM
5.3
CVSS 4.0
Description
An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses. The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.

Metadata

CVE ID
CVE-2026-13230
State
PUBLISHED
Assigner
TPLink
Reserved
2026-06-24 17:50 UTC
Published
2026-07-15 00:21 UTC
Last updated
2026-07-15 00:21 UTC
Primary CWE
CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product
TP-Link Systems Inc. / Kasa EC71 v4
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (2)
VendorProductPlatformVersions
TP-Link Systems Inc. Kasa EC70 v4 NVMP 0 < 2.4.1 Build 20260621 rel.76536
TP-Link Systems Inc. Kasa EC71 v4 NVMP 0 < 2.4.1 Build 20260621 rel.76536
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview