CVE-2026-22563
Command Injection via Improper Input Validation in UniFi Play Devices
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubiquiti | unifi_play_poweramp | to 1.0.36 (exc) |
| ubiquiti | unifi_play_audio_port | to 1.0.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability consists of a series of Improper Input Validation issues that could allow a malicious actor with access to the UniFi Play network to perform Command Injection.
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows an attacker to execute arbitrary commands on affected devices without any privileges or user interaction. This can lead to full compromise of the device, including unauthorized access, data manipulation, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the affected products to the fixed versions.
- Update UniFi Play PowerAmp to Version 1.0.38 or later.
- Update UniFi Play Audio Port to Version 1.1.9 or later.