CVE-2026-34910
Command Injection in UniFi OS Devices
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubiquiti | unifi_os | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Input Validation issue found in UniFi OS devices. It allows a malicious actor who has network access to execute Command Injection attacks. This means the attacker can run arbitrary commands on the affected device by exploiting the way input is handled.
How can this vulnerability impact me? :
The impact of this vulnerability is severe. Since it allows remote command execution without any privileges or user interaction, an attacker can fully compromise the affected device. This can lead to complete control over the device, including the ability to steal data, disrupt services, or use the device as a foothold for further attacks.