CVE-2026-0919

Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C210, C220 & C520WS

Description

The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.

INFO

Published Date :

2026-01-27T17:52:39.170Z

Last Modified :

2026-04-29T16:14:38.524Z

Source :

TPLink

AFFECTED PRODUCTS

The following products are affected by CVE-2026-0919 vulnerability.

Vendors	Products
Tp-link	Tapo Tapo C220 Tapo C220 Firmware Tapo C220 V1 Tapo C520ws Tapo C520ws Firmware Tapo C520ws V2

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-0919.

URL	Resource
https://www.tp-link.com/en/support/download/tapo-c210/v3/
https://www.tp-link.com/en/support/download/tapo-c220/v1/
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/download/tapo-c210/v3/
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/faq/4923/

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact