{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26478", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-04T16:58:25.821Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-04T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T15:56:30.303Z"}, "descriptions": [{"lang": "en", "value": "A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/pastcompute/tichome-poc-1"}, {"url": "https://web.archive.org/web/20171202094530/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:57:24.635902Z", "id": "CVE-2026-26478", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:58:25.821Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26478", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T16:57:24.635902Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:55:37.688Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/pastcompute/tichome-poc-1"}, {"url": "https://web.archive.org/web/20171202094530/"}], "descriptions": [{"lang": "en", "value": "A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T15:56:30.303Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26478", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:58:25.821Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-04T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mobvoi:tichome_mini_firmware:012-18853:*:*:*:*:*:*:*", "matchCriteriaId": "39280A9B-977F-481F-A288-B616614CA35A", "vulnerable": true}, {"criteria": "cpe:2.3:o:mobvoi:tichome_mini_firmware:027-58389:*:*:*:*:*:*:*", "matchCriteriaId": "FD58E327-26FB-43D6-81AF-E881031BAAF9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mobvoi:tichome_mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "E13E7A22-4418-4CF2-8021-2756C46998FD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account."}], "id": "CVE-2026-26478", "lastModified": "2026-03-05T18:13:33.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-04T16:16:27.610", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/pastcompute/tichome-poc-1"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://web.archive.org/web/20171202094530/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tichome_mini_smart_speaker", "vendor": "mobvoi"}], "analysis": {"en": {"generated_at": "2026-04-17T13:17:44.732636+00:00", "value": {"mitigation_remediation": ["Update the Tichome Mini firmware to the latest release that includes the command injection fix issued by Mobvoi", "If an immediate firmware update is unavailable, isolate the device behind a firewall and block inbound UDP traffic to the port used for the vulnerable interface", "Regularly monitor system logs for unexpected shell execution activity and perform periodic vulnerability scans to detect any lingering exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Mobvoi Tichome Mini appliances that run firmware build 012\u201118853 and 027\u201158389. Users of these specific firmware releases must verify the build version deployed on their devices to determine exposure.", "description_and_impact": "A shell command injection flaw exists in the Mobvoi Tichome Mini smart speaker, allowing an attacker to craft a special UDP datagram that passes unsanitized input to the system shell. The vulnerability can be exploited to execute arbitrary shell commands with root privileges on the device, providing full control over its operating system. The weakness is a classic command injection (CWE\u201178).", "risk_and_exploitability": "With a CVSS score of 9.8, the risk of exploitation is very high. The EPSS score of 1% indicates a very low but nonzero probability that the vulnerability will be exploited. Although the vulnerability is not listed in the CISA KEV catalog, its severity and the ability to run commands as root make it a top priority for immediate remediation. Attackers can abuse the local UDP interface without authentication due to the lack of input validation."}}}}, "created": "2026-03-05T09:08:55.268854+00:00", "title": "Remote Command Injection in Mobvoi Tichome Mini Smart Speaker Enabling Root Execution", "updated": "2026-04-17T13:30:19.591081+00:00", "vendors": ["mobvoi", "mobvoi$PRODUCT$tichome_mini_smart_speaker"]}