← Back

CVE-2026-25643

nvd nist
Published: Feb 6, 2026Modified: Feb 11, 2026

JSON object

Loading...
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploitability: 2.3 / Impact: 6.0
Source: security-advisories@github.com (Secondary)

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Affected (1)

Products: Frigate: Frigate
Frigate
1 product
Frigate
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Frigate
Before 0.16.4

Related CWEs

CWE-250
Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-668
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Vendor AdvisoryExploit
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor AdvisoryExploit

Timeline

No history available yet.