MEDIUM SeverityCVSS 3.16.0CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE-2026-0802

Last updated May 12, 2026 · Published May 12, 2026

Description

An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Affected products

1 listed

Axis Communications AB:AXIS OS

Mappings

CWE

CWE-1287

CAPEC

None listed.

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…

Training

Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
Authorisation and Access ControlRBAC, ABAC, and privilege escalation patterns in real applications.

CVE-2026-0802

Description

Affected products

Mappings

Related