Search
Find a vulnerability
Search criteria
5 vulnerabilities by motioneye-project
CVE-2026-32315 (GCVE-0-2026-32315)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:45 – Updated: 2026-06-24 20:45
VLAI
Title
motionEye: World-Readable Configuration File Exposes Admin Password Hash
Summary
motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0.
Severity
5.5 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
| https://github.com/motioneye-project/motioneye/re… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
< 0.44.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:45:34.326Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67"
},
{
"name": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0"
}
],
"source": {
"advisory": "GHSA-rhgp-6wq6-9j67",
"discovery": "UNKNOWN"
},
"title": "motionEye: World-Readable Configuration File Exposes Admin Password Hash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32315",
"datePublished": "2026-06-24T20:45:34.326Z",
"dateReserved": "2026-03-11T21:16:21.660Z",
"dateUpdated": "2026-06-24T20:45:34.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31978 (GCVE-0-2026-31978)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:28 – Updated: 2026-06-24 20:28
VLAI
Title
motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Summary
motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.
Severity
6.5 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
| https://github.com/motioneye-project/motioneye/re… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
< 0.44.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras\u0027 surveillance footage. This issue has been fixed in version 0.44.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:28:24.286Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3"
},
{
"name": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0"
}
],
"source": {
"advisory": "GHSA-g9fx-5r4h-pcw3",
"discovery": "UNKNOWN"
},
"title": "motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31978",
"datePublished": "2026-06-24T20:28:24.286Z",
"dateReserved": "2026-03-10T15:40:10.487Z",
"dateUpdated": "2026-06-24T20:28:24.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55488 (GCVE-0-2026-55488)
Vulnerability from cvelistv5 – Published: 2026-06-24 15:03 – Updated: 2026-06-24 17:29
VLAI
Title
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Summary
motionEye (mEye) is an online interface for a piece of software called "motion," which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
< 0.44.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T16:03:33.437165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T17:29:03.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rw9q-97r9-8gvh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye (mEye) is an online interface for a piece of software called \"motion,\" which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado\u0027s built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:03:26.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rw9q-97r9-8gvh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rw9q-97r9-8gvh"
}
],
"source": {
"advisory": "GHSA-rw9q-97r9-8gvh",
"discovery": "UNKNOWN"
},
"title": "motionEye\u0027s Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55488",
"datePublished": "2026-06-24T15:03:26.208Z",
"dateReserved": "2026-06-16T22:28:27.062Z",
"dateUpdated": "2026-06-24T17:29:03.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47782 (GCVE-0-2025-47782)
Vulnerability from cvelistv5 – Published: 2025-05-14 15:54 – Updated: 2025-05-14 17:36
VLAI
Title
motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
Summary
motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
| https://github.com/motioneye-project/motioneye/is… | x_refsource_MISC |
| https://github.com/motioneye-project/motioneye/pu… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
>= 0.43.1b1, < 0.43.1b4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47782",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T17:36:29.166679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:36:32.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.43.1b1, \u003c 0.43.1b4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:54:59.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588"
},
{
"name": "https://github.com/motioneye-project/motioneye/issues/3142",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/issues/3142"
},
{
"name": "https://github.com/motioneye-project/motioneye/pull/3143",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/pull/3143"
}
],
"source": {
"advisory": "GHSA-g5mq-prx7-c588",
"discovery": "UNKNOWN"
},
"title": "motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47782",
"datePublished": "2025-05-14T15:54:59.309Z",
"dateReserved": "2025-05-09T19:49:35.620Z",
"dateUpdated": "2025-05-14T17:36:32.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47782 (GCVE-0-2025-47782)
Vulnerability from nvd – Published: 2025-05-14 15:54 – Updated: 2025-05-14 17:36
VLAI
Title
motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
Summary
motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
| https://github.com/motioneye-project/motioneye/is… | x_refsource_MISC |
| https://github.com/motioneye-project/motioneye/pu… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
>= 0.43.1b1, < 0.43.1b4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47782",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T17:36:29.166679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:36:32.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.43.1b1, \u003c 0.43.1b4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:54:59.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588"
},
{
"name": "https://github.com/motioneye-project/motioneye/issues/3142",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/issues/3142"
},
{
"name": "https://github.com/motioneye-project/motioneye/pull/3143",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/pull/3143"
}
],
"source": {
"advisory": "GHSA-g5mq-prx7-c588",
"discovery": "UNKNOWN"
},
"title": "motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47782",
"datePublished": "2025-05-14T15:54:59.309Z",
"dateReserved": "2025-05-09T19:49:35.620Z",
"dateUpdated": "2025-05-14T17:36:32.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}