CVE-2026-25643

Exploit

EPSS 0.3%
Veröffentlicht 06.02.2026 19:16:26
Zuletzt bearbeitet 11.02.2026 19:00:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 4 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Frigate ≫ Frigate Version < 0.16.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.525

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x

Vendor Advisory

Exploit

https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-25643

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25643

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25643

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25643