Blakeblackshear Frigate vulnerabilities
11 known vulnerabilities affecting blakeblackshear/frigate.
Total CVEs
11
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-25643P2CRITICALCVSS 9.1PoCfixed in 0.16.42026-02-06
CVE-2026-25643 [CRITICAL] CWE-78 CVE-2026-25643: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of
nvd
CVE-2026-33124P3HIGHCVSS 8.8fixed in 0.17.0-beta12026-03-20
CVE-2026-33124 [HIGH] CWE-287 CVE-2026-33124: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versi
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no vali
nvd
CVE-2023-45671P4MEDIUMCVSS 4.7PoCfixed in 0.13.0-beta32023-10-30
CVE-2023-45671 [MEDIUM] CWE-79 CVE-2023-45671: Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflect
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate
nvd
CVE-2025-62382P3HIGHCVSS 7.7fixed in 0.16.22025-10-15
CVE-2025-62382 [HIGH] CWE-73 CVE-2025-62382: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. Because that path is copied verbatim into the publicly served clips directory, the feature can be abuse
nvd
CVE-2026-33125P3HIGHCVSS 8.1fixed in 0.16.32026-03-20
CVE-2026-33125 [HIGH] CWE-285 CVE-2026-33125: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.
nvd
CVE-2023-45672P3HIGHCVSS 7.5fixed in 0.13.0-beta32023-10-30
CVE-2023-45672 [HIGH] CWE-502 CVE-2023-45672: Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserial
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate. This can lead to unauthenticated remote code execution. This can be performed through the UI at `/config` or through a direct call to `/api/config/save`. Expl
nvd
CVE-2026-33469P3MEDIUMCVSS 6.5v= 0.17.02026-03-26
CVE-2026-33469 [MEDIUM] CWE-863 CVE-2026-33469: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream cred
nvd
CVE-2023-45670P4MEDIUMCVSS 6.8fixed in 0.13.0-beta32023-10-30
CVE-2023-45670 [MEDIUM] CWE-352 CVE-2023-45670: Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, the `config/save`
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, the `config/save` and `config/set` endpoints of Frigate do not implement any CSRF protection. This makes it possible for a request sourced from another site to update the configuration of the Frigate server (e.g. via "drive-by" attack). Exploiting this vulnerability req
nvd
CVE-2024-32874P4MEDIUMCVSS 6.8≤ 0.13.22024-05-14
CVE-2024-32874 [MEDIUM] CWE-770 CVE-2024-32874: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the
nvd
CVE-2026-33126P4MEDIUMCVSS 4.3fixed in 0.16.32026-03-20
CVE-2026-33126 [MEDIUM] CWE-918 CVE-2026-33126: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources
nvd
CVE-2026-33470P4MEDIUMCVSS 4.3v= 0.17.02026-03-26
CVE-2026-33470 [MEDIUM] CWE-862 CVE-2026-33470: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller'
nvd