CVE-2026-33000

Published May 22, 2026

Last updated 22 days ago

CVSS critical 9.1
Server

Overview

Description
A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Source
support@hackerone.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

support@hackerone.com
CWE-20

Social media

Hype score
Not currently trending

  1. Warning: #Ubiquiti has released a security advisory bulletin addressing multiple critical vulnerabilities in #UniFi OS, including CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000. Risks ranges from unauthorised changes to command injection: https://t.co/mwPib2vEpg

    @CCBalert

    26 May 2026

    220 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.CVE-2026-34908
  2. A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.CVE-2026-34909
  3. A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.CVE-2026-34910
  4. A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information.CVE-2026-34911
  5. Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.CVE-2026-44296

References

Sources include official advisories and independent security research.