CVE-2026-1315 HIGH

CVE-2026-1315: Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS

Vendor Tp-Link Systems Inc.
Product Tapo C220 v1
Weakness CWE-20 · Input validation
Published January 27, 2026
Last update January 27, 2026

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.

Key dates

02Disclosure timeline

January 27, 2026 CVE published
January 27, 2026 Record updated