CVE-2026-33126
Frigate has SSRF vulnerability in /ffprobe endpoint
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
9th
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
| CWE | CWE-918 |
| Vendor | blakeblackshear |
| Product | frigate |
| Published | Mar 20, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for blakeblackshear frigate
Be the first to know when new medium vulnerabilities affecting blakeblackshear frigate are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
blakeblackshear / frigate
< 0.16.3