25
CVEs
7
Critical
17
High
0
KEV
0
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
7
HIGH
17
MEDIUM
1
LOW
0
Monthly CVE Trend
Affected Products (30)
Express 7
14
Unifi Os Server
13
Unifi Network Application
9
Er X Sfp Firmware
8
Udr
8
Udr7
8
Efg
8
Er X Firmware
8
Udm Beast
8
Ucg Max
8
Ucg Fiber
8
Udr 5G
8
Udm Pro Max
8
Udm
8
Udm Se
8
Ucg Ultra
8
Ucg Industrial
8
Udm Pro
8
Udw
8
Unvr G2
7
Envr Core
7
Unvr Pro
7
Dream Routers
7
Unas Pro 8
7
Unas Pro 4
7
Unas 4
7
Cloud Gateways
7
Uck Enterprise
7
Unvr Instant
7
Unvr
7
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-50746 | Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided. | CRITICAL | 10.0 | 0.8% | 51 |
|
| CVE-2026-50748 | Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. | CRITICAL | 9.9 | 0.8% | 50 |
|
| CVE-2026-50747 | Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments. | CRITICAL | 9.9 | 0.2% | 50 |
|
| CVE-2026-55115 | Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided. | CRITICAL | 9.9 | 0.2% | 50 |
|
| CVE-2026-54408 | Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-55116 | Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-54400 | Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV. | CRITICAL | 9.1 | 0.3% | 46 |
|
| CVE-2026-54402 | Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available. | HIGH | 8.8 | 0.8% | 45 |
|
| CVE-2026-54404 | Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-56841 | Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-55114 | Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-54401 | Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-55112 | Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-54406 | Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. | HIGH | 8.7 | 0.3% | 44 |
|
| CVE-2026-54403 | Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch. | HIGH | 8.6 | 0.5% | 43 |
|