Description
The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Published: 2026-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HTTP parser in TP‑Link Tapo C210 v3, Tapo C220 v1, and Tapo C520WS v2 cameras mishandles requests containing an excessively long URL path. An invalid‑URL error path propagates into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. The flaw allows any unauthenticated user to repeatedly trigger service restarts or device reboots, resulting in denial of service. The underlying weakness is improper bounds checking and buffer handling, as identified by CWE‑20.

Affected Systems

TP‑Link Systems Inc. devices Tapo C210 v3, Tapo C220 v1, and Tapo C520WS v2 are affected. The vulnerability applies to the firmware packages listed for each model on TP‑Link’s support site and is present in firmware versions before the latest publicly available release.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it remotely by sending crafted HTTP requests to the web interface of any affected device without authentication, causing the device to crash or reboot repeatedly. No additional pre‑conditions are required beyond network reachability to the camera’s web service.

Generated by OpenCVE AI on April 29, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest TP‑Link firmware updates for the Tapo C210 v3, Tapo C220 v1, and Tapo C520WS v2 devices to eliminate the parsing flaw
  • Block or restrict external HTTP/HTTPS access to the camera by filtering port 80/443 on the network perimeter
  • If an update is not immediately available, quarantine the device or disable its web interface to prevent remote triggering of the crash

Generated by OpenCVE AI on April 29, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service. The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Title Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 & C520WS Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C210, C220 & C520WS
References

Wed, 11 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C220
Tp-link tapo C220 Firmware
Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:h:tp-link:tapo_c220:1:*:*:*:*:*:*:*
cpe:2.3:h:tp-link:tapo_c520ws:2:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c220_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C220
Tp-link tapo C220 Firmware
Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo
Tp-link tapo C220 V1
Tp-link tapo C520ws V2
Vendors & Products Tp-link
Tp-link tapo
Tp-link tapo C220 V1
Tp-link tapo C520ws V2

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Title Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 & C520WS
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo Tapo C220 Tapo C220 Firmware Tapo C220 V1 Tapo C520ws Tapo C520ws Firmware Tapo C520ws V2
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-29T16:14:38.524Z

Reserved: 2026-01-13T19:44:02.718Z

Link: CVE-2026-0919

cve-icon Vulnrichment

Updated: 2026-01-27T18:09:08.814Z

cve-icon NVD

Status : Modified

Published: 2026-01-27T18:15:55.120

Modified: 2026-04-29T17:16:40.793

Link: CVE-2026-0919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses