CVE-2026-25643

CRITICAL LAB

Frigate < 0.16.4 - Remote Command Execution via go2rtc exec Directive

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-25643. PoCs published by jduardo2704, XiaomingX, joshuavanderpoll.

AI-analyzed exploit summary This exploit leverages a configuration injection vulnerability in Frigate NVR to achieve remote code execution by injecting a malicious YAML configuration that triggers a reverse shell via the go2rtc and camera configuration parameters.

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Exploits (6)

exploitdb WORKING POC
by jduardo2704 · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52533

This exploit leverages a configuration injection vulnerability in Frigate NVR to achieve remote code execution by injecting a malicious YAML configuration that triggers a reverse shell via the go2rtc and camera configuration parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Frigate NVR <= 0.16.3
Auth required
Prerequisites: network access to the target · valid credentials (optional but recommended)
devstral-2 · analyzed May 01, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25643

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by joshuavanderpoll · poc
https://github.com/joshuavanderpoll/CVE-2026-25643

This repository contains a functional Python exploit for CVE-2026-25643, targeting a blind RCE vulnerability in Frigate NVR ≤ 0.16.3. The exploit manipulates the configuration to inject a malicious go2rtc stream and a fake camera entry, triggering arbitrary command execution during service restart.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Frigate NVR ≤ 0.16.3
No auth needed
Prerequisites: Network access to the target Frigate NVR instance · Frigate NVR version ≤ 0.16.3
devstral-2 · analyzed Feb 25, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jduardo2704 · poc
https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE

This repository contains a functional exploit for CVE-2026-25643, targeting Frigate NVR <= 0.16.3. The exploit leverages the `go2rtc` configuration to inject a reverse shell payload via the `exec:` protocol, supporting both authenticated and unauthenticated modes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Frigate NVR <= 0.16.3
No auth needed
Prerequisites: Network access to the target Frigate instance · Valid credentials if authentication is enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-25643

This repository contains a functional Python exploit for CVE-2026-25643, targeting a blind RCE vulnerability in Frigate NVR ≤ 0.16.3 via go2rtc stream injection and malicious camera configuration. The exploit manipulates the configuration to execute arbitrary commands during service restart.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Frigate NVR ≤ 0.16.3
No auth needed
Prerequisites: Network access to the Frigate NVR API · Ability to send HTTP requests to the target
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by DyniePro · poc
https://github.com/DyniePro/CVE-2026-25643

This repository contains a functional Python exploit for CVE-2026-25643, targeting a blind RCE vulnerability in Frigate NVR ≤ 0.16.3. The exploit manipulates the configuration to inject a malicious go2rtc stream and a fake camera entry, triggering command execution during service restart.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Frigate NVR ≤ 0.16.3
No auth needed
Prerequisites: Network access to the target Frigate NVR instance · Frigate NVR version ≤ 0.16.3
devstral-2 · analyzed Mar 08, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.0287
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull ghcr.io/blakeblackshear/frigate:0.16.3
+2 more repos

Details

CWE
CWE-250 CWE-269 CWE-668 CWE-78
Status published
Products (1)
frigate/frigate < 0.16.4
Published Feb 06, 2026
Tracked Since Feb 18, 2026