Every CVE whose affected-product data names Axis Axis Os, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (36)
CVE-2025-0324 — CVSS 9.4 (critical): The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.
CVE-2023-21413 — CVSS 9.1 (critical): GoSecure on behalf of Genetec Inc. has found a flaw that allows for a remote code execution during the installation of ACAP applications on…
CVE-2025-0358 — CVSS 8.8 (high): During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration…
CVE-2021-31988 — CVSS 8.8 (high): A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and…
CVE-2025-0359 — CVSS 8.5 (high): During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework…
CVE-2025-0360 — CVSS 7.8 (high): During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration…
CVE-2023-5553 — CVSS 7.6 (high): During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly…
CVE-2021-31987 — CVSS 7.5 (high): A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network…
CVE-2023-21416 — CVSS 7.1 (high): Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a…
CVE-2023-21417 — CVSS 7.1 (high): Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path…
CVE-2023-21418 — CVSS 7.1 (high): Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks…
CVE-2023-21414 — CVSS 7.1 (high): NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. The protection for device tampering…
CVE-2025-11142 — CVSS 7.1 (high): The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can…
CVE-2021-31986 — CVSS 6.8 (medium): User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in…
CVE-2025-5718 — CVSS 6.8 (medium): The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the…
CVE-2025-8108 — CVSS 6.7 (medium): An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This…
CVE-2026-0804 — CVSS 6.7 (medium): An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege…
CVE-2025-30027 — CVSS 6.7 (medium): An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only…
CVE-2025-3892 — CVSS 6.7 (medium): ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can only be…
CVE-2025-4645 — CVSS 6.7 (medium): An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only…
CVE-2025-6298 — CVSS 6.7 (medium): ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This…
CVE-2025-6779 — CVSS 6.7 (medium): An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This…
CVE-2026-0541 — CVSS 6.7 (medium): ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to…
CVE-2025-5452 — CVSS 6.6 (medium): A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to…
CVE-2023-21405 — CVSS 6.5 (medium): Knud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network Intercoms when communicating over OSDP…
CVE-2024-0055 — CVSS 6.5 (medium): Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for…
CVE-2023-21415 — CVSS 6.5 (medium): Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal…
CVE-2025-5454 — CVSS 6.4 (medium): An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege…
CVE-2026-0802 — CVSS 6.0 (medium): An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege…
CVE-2023-5800 — CVSS 5.4 (medium): Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input…
CVE-2026-1185 — CVSS 5.4 (medium): A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to…
CVE-2023-21404 — CVSS 5.3 (medium): AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used…
CVE-2024-47261 — CVSS 4.3 (medium): 51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input…
CVE-2025-0361 — CVSS 4.3 (medium): During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration…
CVE-2024-8160 — CVSS 3.8 (low): Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation…
CVE-2024-47259 — CVSS 3.5 (low): Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input…