CVE-2026-25643

Name of the Vulnerable Software and Affected Versions Frigate versions prior to 0.16.4

Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. A critical Remote Command Execution (RCE) issue exists in the Frigate integration with go2rtc. The application does not properly sanitize user input within the video stream configuration file (config.yaml), specifically allowing the injection of system commands through the exec: directive. The go2rtc service then executes these commands without restrictions. This issue is exploitable by an administrator or users who have exposed their Frigate installation to the internet without authentication, potentially granting full administrative control to an attacker.

Recommendations Update Frigate to version 0.16.4 or later.