CVE-2026-22562NVD

Vulnerability Summary

A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).

Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) 
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later

Severity Level

CRITICAL(9.8)

Published Date

Apr 13, 2026

Last Modified

Apr 30, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

0.19%Probability

Root Weakness (CWE)

CWE-22: Path Traversal ↗

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83