A buffer overflow exists in the fetch_jpg() function of the Tasmota scripter driver. The flaw permits a remote attacker to send a crafted payload that overwrites the stack and hijacks program control, leading to arbitrary code execution. The vulnerability is a classic stack overflow (CWE-120) and could allow the attacker to execute shell commands, access data, or pivot to other devices on the network.

Devices running Tasmota version 15.3.0.3 or earlier are affected. The vulnerability resides in the tasmota_xdrv_driver/xdrv_10_scripter.ino component. No specific vendor or product list is available beyond the open‑source Tasmota firmware, but any IoT device that uses the vulnerable firmware revision is at risk.

The CVSS score indicates a high‑severity remote code execution flaw, while the EPSS score is currently unavailable, so the precise likelihood of exploitation is unknown. The vulnerability is not yet listed in the CISA KEV catalog. As the flaw exists in publicly accessible code, an attacker can exploit it by sending a malicious HTTP request to the device’s script endpoint without authentication, provided the device is reachable from the attacker’s network. Given the potential for complete compromise, the risk is significant for any exposed Tasmota deployment.