Vendor CVEs
Reolink
All CVEs
116 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-60858 | Hig | 0.49 | 7.5 | 0.00 | Oct 28, 2025 | Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information. | ||
| CVE-2025-60856 | Med | 0.44 | 6.8 | 0.00 | Oct 20, 2025 | Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier… | ||
| CVE-2025-55629 | Med | 0.42 | 6.5 | 0.00 | Aug 22, 2025 | Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value. | ||
| CVE-2024-48644 | Med | 0.35 | 5.3 | 0.01 | Oct 22, 2024 | Accounts enumeration vulnerability in the Login Component of Reolink Duo 2 WiFi Camera (Firmware Version v3.0.0.1889_23031701) allows remote attackers to determine valid user accounts via login attempts. This can lead to the enumeration of user accounts and potentially… | ||
| CVE-2025-55627 | Med | 0.34 | 5.3 | 0.00 | Aug 22, 2025 | Insufficient privilege verification in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows authenticated attackers to create accounts with elevated privileges. | ||
| CVE-2025-55626 | Med | 0.34 | 5.3 | 0.00 | Aug 22, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage. | ||
| CVE-2025-60855 | Med | 0.33 | 5.1 | 0.00 | Oct 16, 2025 | Reolink Video Doorbell WiFi DB_566128M5MP_W performs insufficient validation of firmware update signatures. This allows attackers to load malicious firmware images, resulting in arbitrary code execution with root privileges. NOTE: this is disputed by the Supplier because the… | ||
| CVE-2025-55631 | Med | 0.26 | 4.0 | 0.00 | Aug 22, 2025 | Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to manage users' sessions system wide instead of an account-by-account basis, potentially leading to a Denial of Service (DoS) via resource exhaustion. NOTE: the Supplier… | ||
| CVE-2021-40407 | 0.14 | — | 0.48 | KEV | Jan 28, 2022 | An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not… | ||
| CVE-2019-11001 | 0.14 | — | 0.38 | KEV | Apr 8, 2019 | On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field. | ||
| CVE-2026-4387 | Low | 0.13 | — | 0.00 | May 29, 2026 | StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\\.sdm\state.kv. The file is… | ||
| CVE-2021-40149 | 0.05 | — | 0.06 | Jul 17, 2022 | The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI. | |||
| CVE-2021-40150 | 0.03 | — | 0.03 | Jul 17, 2022 | The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or… | |||
| CVE-2021-40412 | 0.01 | — | 0.27 | Jan 28, 2022 | An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead… | |||
| CVE-2021-40410 | 0.01 | — | 0.28 | Jan 28, 2022 | An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This… | |||
| CVE-2025-56799 | 0.00 | — | 0.01 | Oct 21, 2025 | Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing mechanism via a crafted folder name. NOTE: this is disputed by the Supplier because a crafted folder name would arise only if the local user were attacking himself. | |||
| CVE-2025-56800 | 0.00 | — | 0.00 | Oct 21, 2025 | Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned… | |||
| CVE-2025-56801 | 0.00 | — | 0.00 | Oct 21, 2025 | The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted configuration data. NOTE: the Supplier's… | |||
| CVE-2025-56802 | 0.00 | — | 0.00 | Oct 21, 2025 | The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the… | |||
| CVE-2025-55619 | 0.00 | — | 0.00 | Aug 22, 2025 | Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering. | |||
| CVE-2025-55625 | 0.00 | — | 0.00 | Aug 22, 2025 | An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior that supports redirection to Alexa URLs, which are not guaranteed to… | |||
| CVE-2025-55624 | 0.00 | — | 0.00 | Aug 22, 2025 | An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components. | |||
| CVE-2025-55634 | 0.00 | — | 0.00 | Aug 22, 2025 | Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream… | |||
| CVE-2025-55620 | 0.00 | — | 0.00 | Aug 22, 2025 | A cross-site scripting (XSS) vulnerability in the valuateJavascript() function of Reolink v4.54.0.4.20250526 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2025-55637 | 0.00 | — | 0.02 | Aug 22, 2025 | Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to contain a command injection vulnerability via the setddns_pip_system() function. | |||
| CVE-2025-55623 | 0.00 | — | 0.00 | Aug 22, 2025 | An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge). | |||
| CVE-2025-55630 | 0.00 | — | 0.00 | Aug 22, 2025 | A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate existing accounts. | |||
| CVE-2025-55622 | 0.00 | — | 0.00 | Aug 22, 2025 | Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. NOTE: this is disputed by the Supplier because it is intentional behavior to ensure a predictable user experience. | |||
| CVE-2025-55621 | 0.00 | — | 0.00 | Aug 22, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are… | |||
| CVE-2024-48605 | 0.00 | — | 0.01 | Oct 22, 2024 | An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file. | |||
| CVE-2022-36263 | 0.00 | — | 0.00 | Aug 19, 2022 | StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect Access Control via obs64.exe. An attacker can execute arbitrary code via a crafted .exe file. | |||
| CVE-2021-44394 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44375 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44366 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44357 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44356 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44355 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44354 | 0.00 | — | 0.02 | Apr 14, 2022 | Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-40405 | 0.00 | — | 0.01 | Apr 14, 2022 | A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2021-44419 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdAlarm param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44418 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdState param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44417 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetAlarm param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44416 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. Disconnect param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44415 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. ModifyUser param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44414 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. DelUser param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44413 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. AddUser param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44412 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetRec param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44407 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. TestEmail param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44406 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetAutoFocus param is not object. An attacker can send an HTTP request to trigger this… | |||
| CVE-2021-44405 | 0.00 | — | 0.01 | Jan 28, 2022 | A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. StartZoomFocus param is not object. An attacker can send an HTTP request to trigger… |
- risk 0.49cvss 7.5epss 0.00
Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information.
- risk 0.44cvss 6.8epss 0.00
Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier…
- risk 0.42cvss 6.5epss 0.00
Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value.
- risk 0.35cvss 5.3epss 0.01
Accounts enumeration vulnerability in the Login Component of Reolink Duo 2 WiFi Camera (Firmware Version v3.0.0.1889_23031701) allows remote attackers to determine valid user accounts via login attempts. This can lead to the enumeration of user accounts and potentially…
- risk 0.34cvss 5.3epss 0.00
Insufficient privilege verification in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows authenticated attackers to create accounts with elevated privileges.
- risk 0.34cvss 5.3epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage.
- risk 0.33cvss 5.1epss 0.00
Reolink Video Doorbell WiFi DB_566128M5MP_W performs insufficient validation of firmware update signatures. This allows attackers to load malicious firmware images, resulting in arbitrary code execution with root privileges. NOTE: this is disputed by the Supplier because the…
- risk 0.26cvss 4.0epss 0.00
Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to manage users' sessions system wide instead of an account-by-account basis, potentially leading to a Denial of Service (DoS) via resource exhaustion. NOTE: the Supplier…
- risk 0.14cvss —epss 0.48
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not…
- risk 0.14cvss —epss 0.38
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
- risk 0.13cvss —epss 0.00
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\\.sdm\state.kv. The file is…
- CVE-2021-40149Jul 17, 2022risk 0.05cvss —epss 0.06
The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI.
- CVE-2021-40150Jul 17, 2022risk 0.03cvss —epss 0.03
The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or…
- CVE-2021-40412Jan 28, 2022risk 0.01cvss —epss 0.27
An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead…
- CVE-2021-40410Jan 28, 2022risk 0.01cvss —epss 0.28
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This…
- CVE-2025-56799Oct 21, 2025risk 0.00cvss —epss 0.01
Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing mechanism via a crafted folder name. NOTE: this is disputed by the Supplier because a crafted folder name would arise only if the local user were attacking himself.
- CVE-2025-56800Oct 21, 2025risk 0.00cvss —epss 0.00
Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned…
- CVE-2025-56801Oct 21, 2025risk 0.00cvss —epss 0.00
The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted configuration data. NOTE: the Supplier's…
- CVE-2025-56802Oct 21, 2025risk 0.00cvss —epss 0.00
The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the…
- CVE-2025-55619Aug 22, 2025risk 0.00cvss —epss 0.00
Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.
- CVE-2025-55625Aug 22, 2025risk 0.00cvss —epss 0.00
An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior that supports redirection to Alexa URLs, which are not guaranteed to…
- CVE-2025-55624Aug 22, 2025risk 0.00cvss —epss 0.00
An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components.
- CVE-2025-55634Aug 22, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream…
- CVE-2025-55620Aug 22, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the valuateJavascript() function of Reolink v4.54.0.4.20250526 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2025-55637Aug 22, 2025risk 0.00cvss —epss 0.02
Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to contain a command injection vulnerability via the setddns_pip_system() function.
- CVE-2025-55623Aug 22, 2025risk 0.00cvss —epss 0.00
An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge).
- CVE-2025-55630Aug 22, 2025risk 0.00cvss —epss 0.00
A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate existing accounts.
- CVE-2025-55622Aug 22, 2025risk 0.00cvss —epss 0.00
Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. NOTE: this is disputed by the Supplier because it is intentional behavior to ensure a predictable user experience.
- CVE-2025-55621Aug 22, 2025risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are…
- CVE-2024-48605Oct 22, 2024risk 0.00cvss —epss 0.01
An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file.
- CVE-2022-36263Aug 19, 2022risk 0.00cvss —epss 0.00
StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect Access Control via obs64.exe. An attacker can execute arbitrary code via a crafted .exe file.
- CVE-2021-44394Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44375Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44366Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44357Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44356Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44355Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44354Apr 14, 2022risk 0.00cvss —epss 0.02
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-40405Apr 14, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2021-44419Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdAlarm param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44418Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdState param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44417Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetAlarm param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44416Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. Disconnect param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44415Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. ModifyUser param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44414Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. DelUser param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44413Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. AddUser param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44412Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetRec param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44407Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. TestEmail param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44406Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetAutoFocus param is not object. An attacker can send an HTTP request to trigger this…
- CVE-2021-44405Jan 28, 2022risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. StartZoomFocus param is not object. An attacker can send an HTTP request to trigger…
Page 1 of 3