What is the CVSS score of CVE-2026-25643?

CVE-2026-25643 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Frigate are affected by CVE-2026-25643?

Frigate NVR deployments are vulnerable to remote command execution attacks that could allow unauthorized actors to gain complete control of video surveillance systems and potentially pivot to other…

Is there a public PoC exploit available for CVE-2026-25643?

Yes, a public proof-of-concept exploit is available for CVE-2026-25643. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2026-25643?

Within 24 hours: Inventory all Frigate deployments and isolate affected systems on a segmented network with restricted access; disable go2rtc integration if not operationally critical. Within 7 days: Implement network-based access controls limiting Frigate to authorized users only, enforce authentication mechanisms, and monitor logs for exploitation attempts. Within 30 days: Prepare upgrade path to version 0.16.4 or later when available; establish update testing procedures and deploy patches immediately upon release.

Frigate CVE-2026-25643

CRITICAL

OS Command Injection (CWE-78)

2026-02-06 security-advisories@github.com

Command Injection RCE Frigate

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 19:00 vuln.today

Public exploit code

CVE Published

Feb 06, 2026 - 20:16 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

AnalysisAI

Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access Frigate config.yaml

Exploit

Inject malicious commands in exec: directive

Execution

go2rtc executes unsanitized commands

Impact

Achieve remote code execution as service user

Access

Access Frigate config.yaml

Exploit

Inject malicious commands in exec: directive

Execution

go2rtc executes unsanitized commands

Impact

Achieve remote code execution as service user

Vulnerability AssessmentAI

Exploitation	Frigate versions prior to 0.16.4 with go2rtc integration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1 with PoC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker injects OS commands through the Frigate interface to gain shell access, then accesses all camera feeds, modifies recording configurations, or deletes surveillance footage.
Remediation	Update Frigate. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Frigate deployments and isolate affected systems on a segmented network with restricted access; disable go2rtc integration if not operationally critical. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25643 vulnerability details – vuln.today

Back

Frigate CVE-2026-25643

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code