CVE-2026-0919
Published: 27 January 2026
Summary
CVE-2026-0919 is a high-severity Improper Input Validation (CWE-20) vulnerability in Tp-Link Tapo C220 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application/system exploitation causing service crash and DoS via crafted network input.
NVD Description
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.…
more
An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Deeper analysisAI
CVE-2026-0919 is a vulnerability in the HTTP parser of TP-Link Tapo C220 v1 and C520WS v2 cameras. The parser improperly handles HTTP requests containing an excessively long URL path, causing an invalid-URL error path to continue into cleanup code that assumes allocated buffers exist. This results in a crash and automatic service restart. The issue is classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By sending crafted requests with excessively long URL paths, the attacker can trigger repeated service crashes or device reboots, resulting in a denial-of-service condition that disrupts camera functionality.
TP-Link support pages provide firmware downloads for mitigation, including resources for Tapo C220 v1 (such as v1.60) and C520WS v2 at locations like https://www.tp-link.com/en/support/download/tapo-c220/v1/, https://www.tp-link.com/en/support/download/tapo-c520ws/v2/, https://www.tp-link.com/us/support/download/tapo-c220/v1.60/, and https://www.tp-link.com/us/support/download/tapo-c520ws/v2/. An FAQ at https://www.tp-link.com/us/support/faq/4923/ offers additional guidance.
Details
- CWE(s)