LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-22563

CVE-2026-22563 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 13, 2026

UniFi Play - Command Injection

Published: April 13, 2026Updated: April 13, 2026Remote Exploitable

Overview

UniFi Play PowerAmp <= 1.0.35 and UniFi Play Audio Port <= 1.0.24 contain a command injection caused by improper input validation, letting attackers with network access execute arbitrary commands, exploit requires attacker access to UniFi Play network.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers with network access can execute arbitrary commands, potentially leading to full system compromise.

Mitigation

Update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 14, 2026

CVE-2026-22563: Ubiquiti UniFi Play PowerAmp (ā‰¤1.0.35) & Audio Port (ā‰¤1.0.24) have a critical command injection flaw (CVSS 9.8). Network access = full compromise. Update to 1.0.38+/1.1.9+ ASAP! šŸ›”ļø https://radar.offseq.com/threat/cve-2026-22563-cwe-20-improper-input-validation-in-4175b900 #OffSeq #CVE202622563 #infosec #patch

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 13, 2026

šŸ”“ CVE-2026-22563 - Critical (9.8) A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)ā€Ø UniFi Play Audio Port (Ver... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-22563/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 14, 2026

CVE-2026-22563: Ubiquiti UniFi Play PowerAmp (ā‰¤1.0.35) & Audio Port (ā‰¤1.0.24) have a critical command injection flaw (CVSS 9.8). Network access = full compromise. Update to 1.0.38+/1.1.9+ ASAP! šŸ›”ļø https://radar.offseq.com/threat/cve-2026-22563-cwe-20-improper-input-validation-in-4175b900 #OffSeq #CVE202622563 #infosec #patch

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 13, 2026

šŸ”“ CVE-2026-22563 - Critical (9.8) A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)ā€Ø UniFi Play Audio Port (Ver... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-22563/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-22563
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days