CVE-2026-25643

9.1 CRITICAL
Published: February 06, 2026 Modified: February 11, 2026
View on NVD

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4
Source: security-advisories@github.com
Release Notes
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
Source: security-advisories@github.com
Vendor Advisory Exploit
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory Exploit

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.1 / 10.0
EPSS (Exploit Probability)
0.3%
55th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-78 CWE-250 CWE-269 CWE-668 CWE-78

Affected Vendors

frigate

Related CVEs

CVE-2026-33179 5.5
CVE-2026-33165 5.5
CVE-2026-33164 N/A
CVE-2026-33156 7.8
CVE-2026-33155 N/A