CVE-2026-25643CRITICAL 9.1EPSS p85.0%

CVE-2026-25643CVE-2026-25643

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS2.87% probability of exploitation · percentile 85.0% · 2026-06-19T12:03:05Z
Published2026-02-06
Last modified2026-02-11

Underlying weaknesses· 4

CWE-78CWE-250CWE-269CWE-668

References

  1. https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4
  2. https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
  3. https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x

4

TypeTargetConfidenceTier
WeaknessExecution with Unnecessary Privilegescwe-2500%live
WeaknessImproper Privilege Managementcwe-2690%live
WeaknessExposure of Resource to Wrong Spherecwe-6680%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33125
CVE
CVE-2026-33124
CVE
CVE-2025-56110
CVE
CVE-2025-23115
CVE
CVE-2025-56111
CVE
CVE-2025-56087
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.