34
CVEs
13
Critical
20
High
3
KEV
3
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
13
HIGH
20
MEDIUM
1
LOW
0
Monthly CVE Trend
Affected Products (30)
Express 7
14
Unifi Os Server
13
Unifi Network Application
9
Er X Sfp Firmware
8
Udr
8
Udr7
8
Efg
8
Er X Firmware
8
Udm Beast
8
Ucg Max
8
Ucg Fiber
8
Udr 5G
8
Udm Pro Max
8
Udm
8
Udm Se
8
Ucg Ultra
8
Ucg Industrial
8
Udm Pro
8
Udw
8
Unvr G2
7
Envr Core
7
Unvr Pro
7
Dream Routers
7
Unas Pro 8
7
Unas Pro 4
7
Unas 4
7
Cloud Gateways
7
Uck Enterprise
7
Unvr Instant
7
Unvr
7
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34910 | Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. | CRITICAL | 10.0 | 0.1% | 120 |
KEV
PoC
|
| CVE-2026-34909 | Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.0% | 120 |
KEV
PoC
|
| CVE-2026-34908 | Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments. | CRITICAL | 10.0 | 0.0% | 120 |
KEV
PoC
|
| CVE-2026-50746 | Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided. | CRITICAL | 10.0 | 0.8% | 51 |
|
| CVE-2026-50748 | Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. | CRITICAL | 9.9 | 0.8% | 50 |
|
| CVE-2026-50747 | Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments. | CRITICAL | 9.9 | 0.2% | 50 |
|
| CVE-2026-55115 | Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided. | CRITICAL | 9.9 | 0.2% | 50 |
|
| CVE-2026-47370 | Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV. | CRITICAL | 9.9 | 0.2% | 50 |
|
| CVE-2026-47369 | Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-54408 | Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority. | CRITICAL | 9.8 | 0.3% | 49 |
|
| CVE-2026-55116 | Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways. | CRITICAL | 9.8 | 0.2% | 49 |
|
| CVE-2026-54400 | Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV. | CRITICAL | 9.1 | 0.3% | 46 |
|
| CVE-2026-33000 | Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2026-54402 | Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available. | HIGH | 8.8 | 0.8% | 45 |
|
| CVE-2026-54404 | Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold. | HIGH | 8.8 | 0.2% | 44 |
|