Skip to main content

Ubiquiti

Vendor security scorecard – 44 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 462
44
CVEs
18
Critical
25
High
3
KEV
4
PoC
2
Unpatched C/H
95.5%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
18
HIGH
25
MEDIUM
1
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-34910 Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CRITICAL 10.0 0.1% 120
KEV PoC
CVE-2026-34909 Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. CRITICAL 10.0 0.0% 120
KEV PoC
CVE-2026-34908 Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments. CRITICAL 10.0 0.0% 120
KEV PoC
CVE-2026-22557 A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed. CRITICAL 10.0 0.0% 70
PoC No patch
CVE-2026-50746 Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided. CRITICAL 10.0 0.8% 51
CVE-2026-50748 Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. CRITICAL 9.9 0.8% 50
CVE-2026-50747 Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments. CRITICAL 9.9 0.2% 50
CVE-2026-55115 Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided. CRITICAL 9.9 0.2% 50
CVE-2026-47370 Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV. CRITICAL 9.9 0.2% 50
CVE-2026-47369 Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV. CRITICAL 9.9 0.1% 50
CVE-2026-54408 Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority. CRITICAL 9.8 0.3% 49
CVE-2026-55116 Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways. CRITICAL 9.8 0.2% 49
CVE-2026-22562 Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai CRITICAL 9.8 0.1% 49
CVE-2026-22563 Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av CRITICAL 9.8 0.1% 49
CVE-2026-22564 Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating. CRITICAL 9.8 0.0% 49

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy