CVE-2026-0919
Published: 27 January 2026
Summary
CVE-2026-0919 is a high-severity Improper Input Validation (CWE-20) vulnerability in Tp-Link Tapo C220 Firmware. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0919 is a vulnerability in the HTTP parser of TP-Link Tapo C220 v1 and C520WS v2 cameras. The parser improperly handles HTTP requests containing an excessively long URL path, causing an invalid-URL error path to continue into cleanup code that assumes allocated buffers exist. This results in a crash and automatic service restart. The issue is classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By sending crafted requests with excessively long URL paths, the attacker can trigger repeated service crashes or device reboots, resulting in a denial-of-service condition that disrupts camera functionality.
TP-Link support pages provide firmware downloads for mitigation, including resources for Tapo C220 v1 (such as v1.60) and C520WS v2 at locations like https://www.tp-link.com/en/support/download/tapo-c220/v1/, https://www.tp-link.com/en/support/download/tapo-c520ws/v2/, https://www.tp-link.com/us/support/download/tapo-c220/v1.60/, and https://www.tp-link.com/us/support/download/tapo-c520ws/v2/. An FAQ at https://www.tp-link.com/us/support/faq/4923/ offers additional guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4791
Vulnerability details
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.…
more
An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application/system exploitation causing service crash and DoS via crafted network input.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation (CWE-20) of excessively long URL paths in the HTTP parser, preventing crashes from invalid inputs.
Protects against denial-of-service attacks by limiting the effects of repeated service crashes and device reboots triggered by crafted long URL requests.
Ensures error paths, such as invalid-URL cleanup assuming allocated buffers, do not produce exploitable crashes leading to denial-of-service.