Vendor CVEs
Xiaomi
All CVEs
93 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-29515 | Cri | 0.64 | 9.8 | 0.00 | Mar 11, 2026 | MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which… | ||
| CVE-2018-14060 | Cri | 0.64 | 9.8 | 0.05 | Jul 15, 2018 | OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | ||
| CVE-2018-14010 | Cri | 0.64 | 9.8 | 0.05 | Jul 15, 2018 | OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | ||
| CVE-2024-45347 | Cri | 0.62 | 9.6 | 0.00 | Jun 23, 2025 | An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device. | ||
| CVE-2024-45351 | Hig | 0.51 | 7.8 | 0.00 | Mar 26, 2025 | A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code. | ||
| CVE-2018-16307 | Hig | 0.49 | 7.5 | 0.02 | Sep 5, 2018 | An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a… | ||
| CVE-2026-26214 | Hig | 0.48 | 7.4 | 0.00 | Feb 12, 2026 | Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with… | ||
| CVE-2024-45356 | Hig | 0.47 | 7.3 | 0.00 | Mar 27, 2025 | A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods. | ||
| CVE-2024-45361 | Med | 0.42 | 6.5 | 0.00 | Mar 27, 2025 | A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information. | ||
| CVE-2024-45353 | Med | 0.28 | 4.3 | 0.00 | Mar 27, 2025 | An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction. | ||
| CVE-2019-18371 | 0.07 | — | 0.55 | Oct 23, 2019 | An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability,… | |||
| CVE-2024-4406 | 0.06 | — | 0.02 | May 2, 2024 | Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this… | |||
| CVE-2023-26315 | 0.05 | — | 0.19 | Aug 26, 2024 | The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device. | |||
| CVE-2019-18370 | 0.05 | — | 0.40 | Oct 23, 2019 | An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the… | |||
| CVE-2018-20523 | 0.03 | — | 0.10 | Jun 7, 2019 | Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query… | |||
| CVE-2018-16130 | 0.02 | — | 0.24 | Nov 27, 2018 | System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter. | |||
| CVE-2018-13023 | 0.02 | — | 0.24 | Nov 27, 2018 | System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. | |||
| CVE-2024-45348 | 0.00 | — | 0.01 | Sep 23, 2024 | Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code. | |||
| CVE-2023-26322 | 0.00 | — | 0.01 | Aug 28, 2024 | A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. | |||
| CVE-2023-26324 | 0.00 | — | 0.01 | Aug 28, 2024 | A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. | |||
| CVE-2024-4405 | 0.00 | — | 0.01 | May 2, 2024 | Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability… | |||
| CVE-2023-26320 | 0.00 | — | 0.01 | Oct 11, 2023 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | |||
| CVE-2023-26319 | 0.00 | — | 0.01 | Oct 11, 2023 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | |||
| CVE-2023-26318 | 0.00 | — | 0.01 | Oct 11, 2023 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers. | |||
| CVE-2023-26317 | 0.00 | — | 0.01 | Aug 2, 2023 | Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | |||
| CVE-2020-14126 | 0.00 | — | 0.01 | Jul 22, 2022 | Information leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information. | |||
| CVE-2022-31277 | 0.00 | — | 0.01 | Jun 16, 2022 | Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request. | |||
| CVE-2020-14117 | 0.00 | — | 0.01 | Apr 21, 2022 | A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of… | |||
| CVE-2020-14116 | 0.00 | — | 0.00 | Apr 21, 2022 | An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this. | |||
| CVE-2020-14115 | 0.00 | — | 0.01 | Mar 7, 2022 | A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | |||
| CVE-2020-14111 | 0.00 | — | 0.00 | Mar 7, 2022 | A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | |||
| CVE-2020-14112 | 0.00 | — | 0.01 | Mar 7, 2022 | Information Leak Vulnerability exists in the Xiaomi Router AX6000. The vulnerability is caused by incorrect routing configuration. Attackers can exploit this vulnerability to download part of the files in Xiaomi Router AX6000. | |||
| CVE-2020-14110 | 0.00 | — | 0.00 | Jan 18, 2022 | AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background. | |||
| CVE-2020-14124 | 0.00 | — | 0.02 | Sep 16, 2021 | There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12. | |||
| CVE-2020-14119 | 0.00 | — | 0.03 | Sep 16, 2021 | There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12 | |||
| CVE-2020-14109 | 0.00 | — | 0.02 | Sep 16, 2021 | There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12 | |||
| CVE-2020-14130 | 0.00 | — | 0.01 | Sep 16, 2021 | Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 | |||
| CVE-2020-14105 | 0.00 | — | 0.00 | Apr 20, 2021 | The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | |||
| CVE-2020-14106 | 0.00 | — | 0.01 | Apr 8, 2021 | The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | |||
| CVE-2020-14103 | 0.00 | — | 0.01 | Apr 8, 2021 | The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15. | |||
| CVE-2020-14099 | 0.00 | — | 0.01 | Apr 8, 2021 | On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password. | |||
| CVE-2020-14104 | 0.00 | — | 0.01 | Apr 8, 2021 | A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50. | |||
| CVE-2020-14102 | 0.00 | — | 0.02 | Jan 13, 2021 | There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||
| CVE-2020-14098 | 0.00 | — | 0.01 | Jan 13, 2021 | The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||
| CVE-2020-14097 | 0.00 | — | 0.01 | Jan 13, 2021 | Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18. | |||
| CVE-2020-14101 | 0.00 | — | 0.01 | Jan 13, 2021 | The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||
| CVE-2020-14100 | 0.00 | — | 0.05 | Sep 11, 2020 | In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. The router administrator can gain root access from this vulnerability. | |||
| CVE-2020-14096 | 0.00 | — | 0.01 | Sep 11, 2020 | Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process. | |||
| CVE-2020-10561 | 0.00 | — | 0.02 | Jun 24, 2020 | An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_0138. Injecting parameters to ippserver through the web management background, resulting in command execution vulnerabilities. | |||
| CVE-2020-11961 | 0.00 | — | 0.01 | Jun 24, 2020 | Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive information leakage caused by an insecure interface get_config_result without authentication |
- risk 0.64cvss 9.8epss 0.00
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which…
- risk 0.64cvss 9.8epss 0.05
OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
- risk 0.64cvss 9.8epss 0.05
OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
- risk 0.62cvss 9.6epss 0.00
An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device.
- risk 0.51cvss 7.8epss 0.00
A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.
- risk 0.49cvss 7.5epss 0.02
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a…
- risk 0.48cvss 7.4epss 0.00
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with…
- risk 0.47cvss 7.3epss 0.00
A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.
- risk 0.42cvss 6.5epss 0.00
A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.
- risk 0.28cvss 4.3epss 0.00
An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction.
- CVE-2019-18371Oct 23, 2019risk 0.07cvss —epss 0.55
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability,…
- CVE-2024-4406May 2, 2024risk 0.06cvss —epss 0.02
Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this…
- CVE-2023-26315Aug 26, 2024risk 0.05cvss —epss 0.19
The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.
- CVE-2019-18370Oct 23, 2019risk 0.05cvss —epss 0.40
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the…
- CVE-2018-20523Jun 7, 2019risk 0.03cvss —epss 0.10
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query…
- CVE-2018-16130Nov 27, 2018risk 0.02cvss —epss 0.24
System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.
- CVE-2018-13023Nov 27, 2018risk 0.02cvss —epss 0.24
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
- CVE-2024-45348Sep 23, 2024risk 0.00cvss —epss 0.01
Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.
- CVE-2023-26322Aug 28, 2024risk 0.00cvss —epss 0.01
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.
- CVE-2023-26324Aug 28, 2024risk 0.00cvss —epss 0.01
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.
- CVE-2024-4405May 2, 2024risk 0.00cvss —epss 0.01
Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability…
- CVE-2023-26320Oct 11, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.
- CVE-2023-26319Oct 11, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.
- CVE-2023-26318Oct 11, 2023risk 0.00cvss —epss 0.01
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers.
- CVE-2023-26317Aug 2, 2023risk 0.00cvss —epss 0.01
Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.
- CVE-2020-14126Jul 22, 2022risk 0.00cvss —epss 0.01
Information leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information.
- CVE-2022-31277Jun 16, 2022risk 0.00cvss —epss 0.01
Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request.
- CVE-2020-14117Apr 21, 2022risk 0.00cvss —epss 0.01
A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of…
- CVE-2020-14116Apr 21, 2022risk 0.00cvss —epss 0.00
An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.
- CVE-2020-14115Mar 7, 2022risk 0.00cvss —epss 0.01
A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.
- CVE-2020-14111Mar 7, 2022risk 0.00cvss —epss 0.00
A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.
- CVE-2020-14112Mar 7, 2022risk 0.00cvss —epss 0.01
Information Leak Vulnerability exists in the Xiaomi Router AX6000. The vulnerability is caused by incorrect routing configuration. Attackers can exploit this vulnerability to download part of the files in Xiaomi Router AX6000.
- CVE-2020-14110Jan 18, 2022risk 0.00cvss —epss 0.00
AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.
- CVE-2020-14124Sep 16, 2021risk 0.00cvss —epss 0.02
There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12.
- CVE-2020-14119Sep 16, 2021risk 0.00cvss —epss 0.03
There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12
- CVE-2020-14109Sep 16, 2021risk 0.00cvss —epss 0.02
There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12
- CVE-2020-14130Sep 16, 2021risk 0.00cvss —epss 0.01
Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809
- CVE-2020-14105Apr 20, 2021risk 0.00cvss —epss 0.00
The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.
- CVE-2020-14106Apr 8, 2021risk 0.00cvss —epss 0.01
The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.
- CVE-2020-14103Apr 8, 2021risk 0.00cvss —epss 0.01
The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.
- CVE-2020-14099Apr 8, 2021risk 0.00cvss —epss 0.01
On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password.
- CVE-2020-14104Apr 8, 2021risk 0.00cvss —epss 0.01
A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50.
- CVE-2020-14102Jan 13, 2021risk 0.00cvss —epss 0.02
There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
- CVE-2020-14098Jan 13, 2021risk 0.00cvss —epss 0.01
The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
- CVE-2020-14097Jan 13, 2021risk 0.00cvss —epss 0.01
Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18.
- CVE-2020-14101Jan 13, 2021risk 0.00cvss —epss 0.01
The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.
- CVE-2020-14100Sep 11, 2020risk 0.00cvss —epss 0.05
In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. The router administrator can gain root access from this vulnerability.
- CVE-2020-14096Sep 11, 2020risk 0.00cvss —epss 0.01
Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process.
- CVE-2020-10561Jun 24, 2020risk 0.00cvss —epss 0.02
An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_0138. Injecting parameters to ippserver through the web management background, resulting in command execution vulnerabilities.
- CVE-2020-11961Jun 24, 2020risk 0.00cvss —epss 0.01
Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive information leakage caused by an insecure interface get_config_result without authentication
Page 1 of 2