CVE-2026-22563 PUBLISHED

Assigner: hackerone
Reserved: 07.01.2026 Published: 13.04.2026 Updated: 14.04.2026

A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.

Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)


Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor Ubiquiti Inc
Product UniFi Play PowerAmp
Versions Default: unaffected
  • affected from 0 to 1.0.38 (excl.)
Vendor Ubiquiti Inc
Product UniFi Play Audio Port
Versions Default: unaffected
  • affected from 0 to 1.1.9 (excl.)

References

Problem Types

  • CWE-20 Improper Input Validation CWE