CVE-2026-0919

Name of the Vulnerable Software and Affected Versions Tapo C220 version 1 Tapo C520WS version 2

Description The HTTP parser in the cameras does not correctly process requests with very long URL paths. This leads to a crash and service restart due to improper handling of allocated buffers in cleanup code. An attacker who does not need to be authenticated can repeatedly crash the service or reboot the device, resulting in a denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.