Axis
Products
48- 26 CVEs
- 14 CVEs
- 12 CVEs
- 10 CVEs
- 7 CVEs
- 7 CVEs
- 7 CVEs
- 7 CVEs
- 7 CVEs
- 6 CVEs
- 6 CVEs
- 6 CVEs
- 5 CVEs
- 5 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 48 products →
Recent CVEs
99| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10660 | Cri | 0.73 | 9.8 | 0.82 | Jun 26, 2018 | An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection. | ||
| CVE-2015-8257 | Hig | 0.62 | 8.8 | 0.18 | May 2, 2017 | The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml. | ||
| CVE-2015-8255 | Hig | 0.60 | 8.8 | 0.02 | Apr 10, 2017 | AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi. | ||
| CVE-2015-8258 | Hig | 0.52 | 7.5 | 0.09 | Apr 10, 2017 | AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability." | ||
| CVE-2024-47257 | Hig | 0.49 | 7.5 | 0.00 | Nov 26, 2024 | Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still… | ||
| CVE-2018-10664 | Hig | 0.49 | 7.5 | 0.02 | Jun 26, 2018 | An issue was discovered in the httpd process in multiple models of Axis IP Cameras. There is Memory Corruption. | ||
| CVE-2018-10659 | Hig | 0.49 | 7.5 | 0.02 | Jun 26, 2018 | There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which allows remote attackers to cause a denial of service (crash) by sending a crafted command which will result in a code path that calls the UND undefined ARM instruction. | ||
| CVE-2018-10658 | Hig | 0.49 | 7.5 | 0.02 | Jun 26, 2018 | There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which causes a denial of service (crash). The crash arises from code inside libdbus-send.so shared object or similar. | ||
| CVE-2018-9158 | Hig | 0.49 | 7.5 | 0.01 | Apr 1, 2018 | An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. They don't employ a suitable mechanism to prevent a DoS attack, which leads to a response time delay. An attacker can use the hping3 tool to perform an IPv4 flood attack, and the services are… | ||
| CVE-2018-9157 | Hig | 0.49 | 7.5 | 0.03 | Apr 1, 2018 | An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP… | ||
| CVE-2018-9156 | Hig | 0.49 | 7.5 | 0.04 | Apr 1, 2018 | An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP… | ||
| CVE-2015-8256 | Med | 0.47 | 6.1 | 0.51 | Apr 17, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. | ||
| CVE-2026-0804 | Med | 0.44 | 6.7 | 0.00 | May 12, 2026 | An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications,… | ||
| CVE-2026-0541 | Med | 0.44 | 6.7 | 0.00 | May 12, 2026 | ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP… | ||
| CVE-2025-9055 | Med | 0.42 | 6.4 | 0.00 | Nov 11, 2025 | The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account. | ||
| CVE-2024-47260 | Med | 0.42 | 6.5 | 0.00 | Mar 4, 2025 | 51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS… | ||
| CVE-2024-6509 | Med | 0.42 | 6.5 | 0.00 | Sep 10, 2024 | Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to… | ||
| CVE-2024-6173 | Med | 0.42 | 6.5 | 0.00 | Sep 10, 2024 | 51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released… | ||
| CVE-2024-0054 | Med | 0.42 | 6.5 | 0.01 | Mar 19, 2024 | Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the… | ||
| CVE-2024-6749 | Med | 0.41 | 6.3 | 0.00 | Nov 26, 2024 | Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply.… |
- risk 0.73cvss 9.8epss 0.82
An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.
- risk 0.62cvss 8.8epss 0.18
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.
- risk 0.60cvss 8.8epss 0.02
AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.
- risk 0.52cvss 7.5epss 0.09
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
- risk 0.49cvss 7.5epss 0.00
Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still…
- risk 0.49cvss 7.5epss 0.02
An issue was discovered in the httpd process in multiple models of Axis IP Cameras. There is Memory Corruption.
- risk 0.49cvss 7.5epss 0.02
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which allows remote attackers to cause a denial of service (crash) by sending a crafted command which will result in a code path that calls the UND undefined ARM instruction.
- risk 0.49cvss 7.5epss 0.02
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which causes a denial of service (crash). The crash arises from code inside libdbus-send.so shared object or similar.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. They don't employ a suitable mechanism to prevent a DoS attack, which leads to a response time delay. An attacker can use the hping3 tool to perform an IPv4 flood attack, and the services are…
- risk 0.49cvss 7.5epss 0.03
An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP…
- risk 0.49cvss 7.5epss 0.04
An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP…
- risk 0.47cvss 6.1epss 0.51
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
- risk 0.44cvss 6.7epss 0.00
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications,…
- risk 0.44cvss 6.7epss 0.00
ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP…
- risk 0.42cvss 6.4epss 0.00
The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account.
- risk 0.42cvss 6.5epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS…
- risk 0.42cvss 6.5epss 0.00
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to…
- risk 0.42cvss 6.5epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released…
- risk 0.42cvss 6.5epss 0.01
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the…
- risk 0.41cvss 6.3epss 0.00
Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply.…