PYSEC-2026-681

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/motioneye/PYSEC-2026-681.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-681
Aliases
Published
2026-07-02T14:13:15.109139Z
Modified
2026-07-06T08:00:39.999549385Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Unrestricted Upload of File with Dangerous Type in motionEye
Details

motionEye <= 0.42.1 and motioneEyeOS <= 20200606 allow a remote attacker to upload a configuration backup file containing a malicious python pickle file. This is possible when an installation is accessible over the Internet and uses no or poor authentication credentials.

The GitHub repositories for motionEye and motionEyeOS are no longer being actively maintained as of January 2022, so release of a patched version is unlikely. Keeping a motionEye or motionEyeOS installation off of the Internet and/or using strong credentials provide protection against this issue.

References

Affected packages

PyPI / motioneye

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.42.1

Affected versions

0.*
0.27
0.27.1
0.27.2
0.28
0.28.1
0.28.2
0.28.3
0.29rc1
0.29rc2
0.29
0.29.1
0.30rc1
0.30rc2
0.30
0.31
0.31.1
0.31.2
0.31.3
0.31.4
0.31.5
0.32
0.32.1
0.32.2
0.33
0.33.1
0.33.2
0.33.3
0.33.4
0.34rc1
0.34
0.34.1
0.35rc1
0.35
0.35.1
0.35.2
0.36
0.36.1
0.37rc1
0.37
0.37.1
0.38
0.38.1
0.39
0.39.1
0.39.2
0.39.3
0.40rc1
0.40rc2
0.40rc3
0.40rc4
0.40rc5
0.40
0.41rc1
0.41
0.42
0.42.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/motioneye/PYSEC-2026-681.yaml"