Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Dismissed
Filter by:
With package: frigate

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-33125
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
updated 2 hours ago by @mweinelt Activity log
  • Created automatic suggestion 1 day, 12 hours ago
  • @mweinelt removed
    2 packages
    • pkgsRocm.frigate
    • home-assistant-custom-components.frigate
    2 hours ago
  • @mweinelt dismissed 2 hours ago
Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.

References

Affected products

frigate
  • ==< 0.16.3

Matching in nixpkgs

Ignored packages (2)

Package maintainers

Fixed in 0.16.3.
Permalink CVE-2026-33126
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 hours ago by @mweinelt Activity log
  • Created automatic suggestion 1 day, 12 hours ago
  • @mweinelt removed
    2 packages
    • pkgsRocm.frigate
    • home-assistant-custom-components.frigate
    3 hours ago
  • @mweinelt dismissed 3 hours ago
Frigate has SSRF vulnerability in /ffprobe endpoint

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.

References

Affected products

frigate
  • ==< 0.16.3

Matching in nixpkgs

Ignored packages (2)

Package maintainers

Fixed in 0.16.3
Permalink CVE-2026-25643
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed
    2 packages
    • pkgsRocm.frigate
    • home-assistant-custom-components.frigate
    1 month, 2 weeks ago
  • @LeSuisse dismissed 1 month, 2 weeks ago
Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

References

Affected products

frigate
  • ==< 0.16.4

Matching in nixpkgs

Package maintainers

Not a security issue in NixOS context: https://github.com/NixOS/nixpkgs/pull/485427#issuecomment-3825303116