VYPR

Vendor CVEs

Xiaomi

All CVEs

93 total · sorted by risk
  • CVE-2026-29515CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.00

    MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which…

  • CVE-2018-14060CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.05

    OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.

  • CVE-2018-14010CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.05

    OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.

  • CVE-2024-45347CriJun 23, 2025
    risk 0.62cvss 9.6epss 0.00

    An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device.

  • CVE-2024-45351HigMar 26, 2025
    risk 0.51cvss 7.8epss 0.00

    A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.

  • CVE-2018-16307HigSep 5, 2018
    risk 0.49cvss 7.5epss 0.02

    An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a…

  • CVE-2026-26214HigFeb 12, 2026
    risk 0.48cvss 7.4epss 0.00

    Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with…

  • CVE-2024-45356HigMar 27, 2025
    risk 0.47cvss 7.3epss 0.00

    A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.

  • CVE-2024-45361MedMar 27, 2025
    risk 0.42cvss 6.5epss 0.00

    A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.

  • CVE-2024-45353MedMar 27, 2025
    risk 0.28cvss 4.3epss 0.00

    An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction.

  • CVE-2019-18371Oct 23, 2019
    risk 0.07cvss epss 0.55

    An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability,…

  • CVE-2024-4406May 2, 2024
    risk 0.06cvss epss 0.02

    Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this…

  • CVE-2023-26315Aug 26, 2024
    risk 0.05cvss epss 0.19

    The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.

  • CVE-2019-18370Oct 23, 2019
    risk 0.05cvss epss 0.40

    An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the…

  • CVE-2018-20523Jun 7, 2019
    risk 0.03cvss epss 0.10

    Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query…

  • CVE-2018-16130Nov 27, 2018
    risk 0.02cvss epss 0.24

    System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.

  • CVE-2018-13023Nov 27, 2018
    risk 0.02cvss epss 0.24

    System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.

  • CVE-2024-45348Sep 23, 2024
    risk 0.00cvss epss 0.01

    Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.

  • CVE-2023-26322Aug 28, 2024
    risk 0.00cvss epss 0.01

    A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

  • CVE-2023-26324Aug 28, 2024
    risk 0.00cvss epss 0.01

    A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

  • CVE-2024-4405May 2, 2024
    risk 0.00cvss epss 0.01

    Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability…

  • CVE-2023-26320Oct 11, 2023
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

  • CVE-2023-26319Oct 11, 2023
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

  • CVE-2023-26318Oct 11, 2023
    risk 0.00cvss epss 0.01

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers.

  • CVE-2023-26317Aug 2, 2023
    risk 0.00cvss epss 0.01

    Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.

  • CVE-2020-14126Jul 22, 2022
    risk 0.00cvss epss 0.01

    Information leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information.

  • CVE-2022-31277Jun 16, 2022
    risk 0.00cvss epss 0.01

    Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request.

  • CVE-2020-14117Apr 21, 2022
    risk 0.00cvss epss 0.01

    A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of…

  • CVE-2020-14116Apr 21, 2022
    risk 0.00cvss epss 0.00

    An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.

  • CVE-2020-14115Mar 7, 2022
    risk 0.00cvss epss 0.01

    A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.

  • CVE-2020-14111Mar 7, 2022
    risk 0.00cvss epss 0.00

    A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.

  • CVE-2020-14112Mar 7, 2022
    risk 0.00cvss epss 0.01

    Information Leak Vulnerability exists in the Xiaomi Router AX6000. The vulnerability is caused by incorrect routing configuration. Attackers can exploit this vulnerability to download part of the files in Xiaomi Router AX6000.

  • CVE-2020-14110Jan 18, 2022
    risk 0.00cvss epss 0.00

    AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.

  • CVE-2020-14124Sep 16, 2021
    risk 0.00cvss epss 0.02

    There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12.

  • CVE-2020-14119Sep 16, 2021
    risk 0.00cvss epss 0.03

    There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12

  • CVE-2020-14109Sep 16, 2021
    risk 0.00cvss epss 0.02

    There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12

  • CVE-2020-14130Sep 16, 2021
    risk 0.00cvss epss 0.01

    Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809

  • CVE-2020-14105Apr 20, 2021
    risk 0.00cvss epss 0.00

    The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.

  • CVE-2020-14106Apr 8, 2021
    risk 0.00cvss epss 0.01

    The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.

  • CVE-2020-14103Apr 8, 2021
    risk 0.00cvss epss 0.01

    The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.

  • CVE-2020-14099Apr 8, 2021
    risk 0.00cvss epss 0.01

    On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password.

  • CVE-2020-14104Apr 8, 2021
    risk 0.00cvss epss 0.01

    A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50.

  • CVE-2020-14102Jan 13, 2021
    risk 0.00cvss epss 0.02

    There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.

  • CVE-2020-14098Jan 13, 2021
    risk 0.00cvss epss 0.01

    The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.

  • CVE-2020-14097Jan 13, 2021
    risk 0.00cvss epss 0.01

    Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version < 1.0.18.

  • CVE-2020-14101Jan 13, 2021
    risk 0.00cvss epss 0.01

    The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.

  • CVE-2020-14100Sep 11, 2020
    risk 0.00cvss epss 0.05

    In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. The router administrator can gain root access from this vulnerability.

  • CVE-2020-14096Sep 11, 2020
    risk 0.00cvss epss 0.01

    Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process.

  • CVE-2020-10561Jun 24, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_0138. Injecting parameters to ippserver through the web management background, resulting in command execution vulnerabilities.

  • CVE-2020-11961Jun 24, 2020
    risk 0.00cvss epss 0.01

    Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive information leakage caused by an insecure interface get_config_result without authentication

Page 1 of 2