Cyber Resilience

CVE-2026-0919

High

Published: 27 January 2026

Published
27 January 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 52.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0919 is a high-severity Improper Input Validation (CWE-20) vulnerability in Tp-Link Tapo C220 Firmware. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0919 is a vulnerability in the HTTP parser of TP-Link Tapo C220 v1 and C520WS v2 cameras. The parser improperly handles HTTP requests containing an excessively long URL path, causing an invalid-URL error path to continue into cleanup code that assumes allocated buffers exist. This results in a crash and automatic service restart. The issue is classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By sending crafted requests with excessively long URL paths, the attacker can trigger repeated service crashes or device reboots, resulting in a denial-of-service condition that disrupts camera functionality.

TP-Link support pages provide firmware downloads for mitigation, including resources for Tapo C220 v1 (such as v1.60) and C520WS v2 at locations like https://www.tp-link.com/en/support/download/tapo-c220/v1/, https://www.tp-link.com/en/support/download/tapo-c520ws/v2/, https://www.tp-link.com/us/support/download/tapo-c220/v1.60/, and https://www.tp-link.com/us/support/download/tapo-c520ws/v2/. An FAQ at https://www.tp-link.com/us/support/faq/4923/ offers additional guidance.

EU & UK References

Vulnerability details

The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.…

more

An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application/system exploitation causing service crash and DoS via crafted network input.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1315Same product: Tp-Link Tapo C220
CVE-2026-0918Same product: Tp-Link Tapo C220
CVE-2025-15606Same vendor: Tp-Link
CVE-2026-34121Same product: Tp-Link Tapo C520Ws
CVE-2025-15035Same vendor: Tp-Link
CVE-2025-9014Same vendor: Tp-Link
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2026-5509Same vendor: Tp-Link
CVE-2025-70123Shared CWE-20

Affected Assets

tp-link
tapo c220 firmware
≤ 1.4.2
tp-link
tapo c520ws firmware
≤ 1.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) of excessively long URL paths in the HTTP parser, preventing crashes from invalid inputs.

prevent

Protects against denial-of-service attacks by limiting the effects of repeated service crashes and device reboots triggered by crafted long URL requests.

prevent

Ensures error paths, such as invalid-URL cleanup assuming allocated buffers, do not produce exploitable crashes leading to denial-of-service.

References