Why single out bad Chinese coding? Bad US IoT coding has a longer history.
The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.
The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.
Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.