{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22562", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-07T15:39:03.440Z", "datePublished": "2026-04-13T21:28:11.025Z", "dateUpdated": "2026-04-14T13:14:19.709Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028UniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028Update UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "affected": [{"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.38", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"version": "0", "status": "affected", "lessThan": "1.1.9", "versionType": "semver"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-22", "description": "CWE-22 Path Traversal"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:11.025Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22562", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T12:58:13.202458Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:19.709Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22562", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T12:58:13.202458Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:33.059Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.38", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "descriptions": [{"lang": "en", "value": "A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028UniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028Update UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Path Traversal"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:11.025Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22562", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:19.709Z", "dateReserved": "2026-01-07T15:39:03.440Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-04-13T21:28:11.025Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028UniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028Update UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "id": "CVE-2026-22562", "lastModified": "2026-04-30T16:14:21.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:27.870", "references": [{"source": "support@hackerone.com", "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play Audio Port", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_audio_port", "vendor": "ubiquiti"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play PowerAmp", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_poweramp", "vendor": "ubiquiti"}], "analysis": {"en": {"generated_at": "2026-04-13T22:21:19.672595+00:00", "value": {"mitigation_remediation": ["Apply firmware updates on all UniFi Play PowerAmp devices to version 1.0.38 or later", "Apply firmware updates on all UniFi Play Audio Port devices to version 1.1.9 or later"], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected are UniFi Play PowerAmp firmware versions 1.0.35 and earlier, and UniFi Play Audio Port firmware versions 1.0.24 and earlier. The flaw is present only in the firmware of these two devices and is fixed in later releases.", "description_and_impact": "A path traversal flaw in the firmware of Ubiquiti UniFi Play devices lets an attacker with network access write arbitrary files to the filesystem, which can be used to execute arbitrary code. The vulnerability is a classic example of a directory traversal weakness leading to remote code execution.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity. No EPSS score is available and it has not been listed in the CISA KEV catalog, though it still represents a high risk if exploited. The likely attack vector is a local or remote attacker who can reach the UniFi Play device over the network. Exploitation requires simply accessing the vulnerable firmware endpoint, after which the attacker can write malicious files that the device will execute."}}}}, "created": "2026-04-14T16:17:10.802648+00:00", "title": "Path Traversal Vulnerability Allowing Remote File Write on Ubiquiti UniFi Play Devices", "updated": "2026-04-14T16:33:02.180814+00:00", "vendors": ["ubiquiti", "ubiquiti$PRODUCT$unifi_play_audio_port", "ubiquiti$PRODUCT$unifi_play_poweramp"]}