VYPR
Vendor

Xiaomi

Products
59
CVEs
93
Across products
82
Status
Private

Products

59
View all 59 products →

Recent CVEs

93
View all 93 CVEs →
  • CVE-2026-29515CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.00

    MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which…

  • CVE-2018-14060CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.05

    OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.

  • CVE-2018-14010CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.05

    OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.

  • CVE-2024-45347CriJun 23, 2025
    risk 0.62cvss 9.6epss 0.00

    An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device.

  • CVE-2024-45351HigMar 26, 2025
    risk 0.51cvss 7.8epss 0.00

    A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.

  • CVE-2018-16307HigSep 5, 2018
    risk 0.49cvss 7.5epss 0.02

    An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a…

  • CVE-2026-26214HigFeb 12, 2026
    risk 0.48cvss 7.4epss 0.00

    Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with…

  • CVE-2024-45356HigMar 27, 2025
    risk 0.47cvss 7.3epss 0.00

    A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.

  • CVE-2024-45361MedMar 27, 2025
    risk 0.42cvss 6.5epss 0.00

    A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.

  • CVE-2024-45353MedMar 27, 2025
    risk 0.28cvss 4.3epss 0.00

    An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction.

  • CVE-2019-18371Oct 23, 2019
    risk 0.07cvss epss 0.55

    An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability,…

  • CVE-2024-4406May 2, 2024
    risk 0.06cvss epss 0.02

    Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this…

  • CVE-2023-26315Aug 26, 2024
    risk 0.05cvss epss 0.19

    The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.

  • CVE-2019-18370Oct 23, 2019
    risk 0.05cvss epss 0.40

    An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the…

  • CVE-2018-20523Jun 7, 2019
    risk 0.03cvss epss 0.10

    Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query…

  • CVE-2018-13023Nov 27, 2018
    risk 0.02cvss epss 0.24

    System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.

  • CVE-2018-16130Nov 27, 2018
    risk 0.02cvss epss 0.24

    System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.

  • CVE-2024-45348Sep 23, 2024
    risk 0.00cvss epss 0.01

    Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.

  • CVE-2023-26322Aug 28, 2024
    risk 0.00cvss epss 0.01

    A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

  • CVE-2023-26324Aug 28, 2024
    risk 0.00cvss epss 0.01

    A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.