Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Exploits (4)
github
WORKING POC
10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25643
nomisec
WORKING POC
3 stars
by joshuavanderpoll · poc
https://github.com/joshuavanderpoll/CVE-2026-25643
nomisec
WORKING POC
1 stars
by jduardo2704 · poc
https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE
Scores
CVSS v3
9.1
EPSS
0.0039
EPSS Percentile
59.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lab Environment
Details
CWE
CWE-250
CWE-269
CWE-668
CWE-78
Status
published
Products (1)
frigate/frigate
< 0.16.4
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026