Search criteria
6 vulnerabilities found for Tapo C520WS v2 by TP-Link Systems Inc.
CVE-2026-1315 (GCVE-0-2026-1315)
Vulnerability from nvd – Published: 2026-01-27 17:53 – Updated: 2026-01-27 18:11
VLAI?
Title
Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS
Summary
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
|||||||
|
|||||||||
Credits
Diogo Almeida @NeWbie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1315",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:11:29.682513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:11:48.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "By sending crafted files to the firmware update endpoint\u0026nbsp;of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity.\u0026nbsp;An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation."
}
],
"value": "By sending crafted files to the firmware update endpoint\u00a0of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity.\u00a0An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T17:53:29.242Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-1315",
"datePublished": "2026-01-27T17:53:29.242Z",
"dateReserved": "2026-01-21T23:01:34.738Z",
"dateUpdated": "2026-01-27T18:11:48.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0919 (GCVE-0-2026-0919)
Vulnerability from nvd – Published: 2026-01-27 17:52 – Updated: 2026-01-27 18:10
VLAI?
Title
Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 & C520WS
Summary
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
|||||||
|
|||||||||
Credits
Diogo Almeida @NeWbie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:08:59.269424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:10:00.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid\u2011URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.\u0026nbsp;An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service."
}
],
"value": "The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid\u2011URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.\u00a0An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T17:52:39.170Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-0919",
"datePublished": "2026-01-27T17:52:39.170Z",
"dateReserved": "2026-01-13T19:44:02.718Z",
"dateUpdated": "2026-01-27T18:10:00.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0918 (GCVE-0-2026-0918)
Vulnerability from nvd – Published: 2026-01-27 17:52 – Updated: 2026-02-09 23:45
VLAI?
Title
Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 & C520WS
Summary
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Diogo Almeida @NeWbie
Azim Javed & Ayushman Agrawal Hingorani from CRAC Learning
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:07:03.278112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:07:32.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C100 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.3 Build 251128",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
},
{
"lang": "en",
"type": "finder",
"value": "Azim Javed \u0026 Ayushman Agrawal Hingorani from CRAC Learning"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Tapo C220 v1 and C520WS v2 cameras\u2019 HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.\u0026nbsp;An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."
}
],
"value": "The Tapo C220 v1 and C520WS v2 cameras\u2019 HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.\u00a0An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T23:45:04.943Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-0918",
"datePublished": "2026-01-27T17:52:04.348Z",
"dateReserved": "2026-01-13T19:43:58.914Z",
"dateUpdated": "2026-02-09T23:45:04.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1315 (GCVE-0-2026-1315)
Vulnerability from cvelistv5 – Published: 2026-01-27 17:53 – Updated: 2026-01-27 18:11
VLAI?
Title
Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS
Summary
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
|||||||
|
|||||||||
Credits
Diogo Almeida @NeWbie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1315",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:11:29.682513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:11:48.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "By sending crafted files to the firmware update endpoint\u0026nbsp;of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity.\u0026nbsp;An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation."
}
],
"value": "By sending crafted files to the firmware update endpoint\u00a0of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity.\u00a0An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T17:53:29.242Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-1315",
"datePublished": "2026-01-27T17:53:29.242Z",
"dateReserved": "2026-01-21T23:01:34.738Z",
"dateUpdated": "2026-01-27T18:11:48.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0919 (GCVE-0-2026-0919)
Vulnerability from cvelistv5 – Published: 2026-01-27 17:52 – Updated: 2026-01-27 18:10
VLAI?
Title
Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 & C520WS
Summary
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
|||||||
|
|||||||||
Credits
Diogo Almeida @NeWbie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:08:59.269424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:10:00.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid\u2011URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.\u0026nbsp;An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service."
}
],
"value": "The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid\u2011URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.\u00a0An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T17:52:39.170Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Denial of Service via Oversized URL in HTTP Parser on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-0919",
"datePublished": "2026-01-27T17:52:39.170Z",
"dateReserved": "2026-01-13T19:44:02.718Z",
"dateUpdated": "2026-01-27T18:10:00.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0918 (GCVE-0-2026-0918)
Vulnerability from cvelistv5 – Published: 2026-01-27 17:52 – Updated: 2026-02-09 23:45
VLAI?
Title
Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 & C520WS
Summary
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TP-Link Systems Inc. | Tapo C220 v1 |
Affected:
0 , < 1.4.2 Build 251112
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Diogo Almeida @NeWbie
Azim Javed & Ayushman Agrawal Hingorani from CRAC Learning
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:07:03.278112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:07:32.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"http service"
],
"product": "Tapo C220 v1",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.2 Build 251112",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.3 Build 251114",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Tapo C100 v5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.3 Build 251128",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diogo Almeida @NeWbie"
},
{
"lang": "en",
"type": "finder",
"value": "Azim Javed \u0026 Ayushman Agrawal Hingorani from CRAC Learning"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Tapo C220 v1 and C520WS v2 cameras\u2019 HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.\u0026nbsp;An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."
}
],
"value": "The Tapo C220 v1 and C520WS v2 cameras\u2019 HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.\u00a0An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T23:45:04.943Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4923/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 \u0026 C520WS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-0918",
"datePublished": "2026-01-27T17:52:04.348Z",
"dateReserved": "2026-01-13T19:43:58.914Z",
"dateUpdated": "2026-02-09T23:45:04.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}