Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable app requiring only a low-privileged account (PR:L), no user interaction; SQLi escalates from app into host, justifying S:C with full host CIA impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device.
Articles & Coverage 1
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at least a low-privileged UniFi Talk Application account (CVSS PR:L) and network reachability to the Talk application interface (AV:N); no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly aligned toward high real-world risk but incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged UniFi Talk account - for example a rank-and-file phone user or a compromised employee login - sends crafted input to a vulnerable Talk endpoint that is concatenated into a backend SQL query. By chaining the SQL injection flaws, the attacker manipulates the database and leverages the trusted execution context to escalate to host-level privileges on the UniFi device. … |
| Remediation | Patch available per vendor advisory: update the UniFi Talk Application to the fixed version described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the input does not include an exact fixed version number, so verify the target build directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all UniFi Talk deployments; disable non-essential accounts and restrict authenticated access to named administrators only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Talk Application
View allPrivilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevate
Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the appl
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41390
GHSA-q2c2-qqhg-wj5p