Is Command Injection affected by CVE-2026-25643?

Frigate NVR deployments are vulnerable to remote command execution attacks that could allow unauthorized actors to gain complete control of video surveillance systems and potentially pivot to other network infrastructure.

CVE-2026-25643

CRITICAL

2026-02-06 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 19:00 vuln.today

Public exploit code

CVE Published

Feb 06, 2026 - 20:16 nvd

CRITICAL 9.1

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Analysis

Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.

Remediation

Within 24 hours: Inventory all Frigate deployments and isolate affected systems on a segmented network with restricted access; disable go2rtc integration if not operationally critical. Within 7 days: Implement network-based access controls limiting Frigate to authorized users only, enforce authentication mechanisms, and monitor logs for exploitation attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +46

POC: +20

CVE-2026-25643 vulnerability details – vuln.today

Back

CVE-2026-25643

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25643

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code