FKIE_CVE-2026-0919

Vulnerability from fkie_nvd - Published: 2026-01-27 18:15 - Updated: 2026-03-11 22:23
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
References
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/en/support/download/tapo-c220/v1/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/en/support/download/tapo-c520ws/v2/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/download/tapo-c220/v1.60/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/download/tapo-c520ws/v2/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/faq/4923/Vendor Advisory
Impacted products
Vendor Product Version
tp-link tapo_c220_firmware *
tp-link tapo_c220 1
tp-link tapo_c520ws_firmware *
tp-link tapo_c520ws 2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tp-link:tapo_c220_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F337B275-4344-4B21-9C3F-5E01F56C8015",
              "versionEndExcluding": "1.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tp-link:tapo_c220:1:*:*:*:*:*:*:*",
              "matchCriteriaId": "671BCAEE-4AA0-4924-88E2-3B3C9087D171",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "65DE4797-2C90-4C4A-BCA1-41F514F8153D",
              "versionEndExcluding": "1.2.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tp-link:tapo_c520ws:2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8E6B561-8739-4823-9226-82FE5084EE01",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid\u2011URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart.\u00a0An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service."
    },
    {
      "lang": "es",
      "value": "El analizador HTTP de las c\u00e1maras Tapo C220 v1 y C520WS v2 maneja incorrectamente las solicitudes que contienen una ruta URL excesivamente larga. Una ruta de error de URL no v\u00e1lida contin\u00faa hacia el c\u00f3digo de limpieza que asume la existencia de b\u00faferes asignados, lo que provoca un fallo y un reinicio del servicio. Un atacante no autenticado puede forzar repetidos fallos del servicio o reinicios del dispositivo, causando denegaci\u00f3n de servicio."
    }
  ],
  "id": "CVE-2026-0919",
  "lastModified": "2026-03-11T22:23:40.350",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "ADJACENT",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T18:15:55.120",
  "references": [
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tp-link.com/us/support/faq/4923/"
    }
  ],
  "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.