Ubiquiti disclosed two high-severity vulnerabilities affecting separate UniFi product lines, including a cross-site scripting issue in UniFi Network Server tracked as CVE-2026-22559 and a path traversal flaw in UniFi Play tracked as CVE-2026-22562. The Network Server bug stems from improper input validation and can enable unauthorized account access if a user is socially engineered into clicking a malicious link. It affects UniFi Network Server 10.1.85 and earlier, with remediation available in 10.1.89 or later.
The more severe UniFi Play issue could let an attacker with access to the UniFi Play network write files to the device through path traversal, creating a path to remote code execution via malicious firmware file writes. Affected products include UniFi Play PowerAmp 1.0.35 and earlier and UniFi Play Audio Port 1.0.24 and earlier. Ubiquiti recommends upgrading PowerAmp to 1.0.38 or later and Audio Port to 1.1.9 or later to mitigate the exposure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A new CVE was received describing a path traversal vulnerability in UniFi Play PowerAmp 1.0.35 and earlier and Audio Port 1.0.24 and earlier that could enable malicious file writes and potential remote code execution. The entry recommends upgrading PowerAmp to 1.0.38 or later and Audio Port to 1.1.9 or later.
The CVE record for the UniFi Network Server cross-site scripting vulnerability was updated to add CWE-20 classification, a CVSS v3.1 vector, and a vendor security advisory reference.
An improper input validation flaw affecting UniFi Network Server 10.1.85 and earlier could allow account compromise if a user is tricked into clicking a malicious link. Ubiquiti recommended upgrading to version 10.1.89 or later to mitigate the issue.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.