PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50747 Ubiquiti Inc CVE debrief

CVE-2026-50747 is a series of authenticated SQL Injection vulnerabilities in UniFi Talk Application that could allow a malicious actor with access to the network and low privileges to escalate privileges on the host device. The vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. The affected product is UniFi Talk Application, and the vulnerability class is SQL Injection. The likely operational impact is privilege escalation.

Vendor
Ubiquiti Inc
Product
UniFi Talk Application
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-09
Advisory published
2026-07-02
Advisory updated
2026-07-09

Who should care

Administrators and users of UniFi Talk Application should be aware of this vulnerability and take necessary actions to mitigate it. The affected operators are those who manage UniFi Talk Application, and the platform is the host device. The vulnerability-management impact is high, and security teams should prioritize patching.

Technical summary

A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device. The vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. The affected product context is UniFi Talk Application, and the defensive impact is high.

Defensive priority

High

Recommended defensive actions

  • Apply the latest patch
  • Restrict network access
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets

Evidence notes

The CVE record was published on 2026-07-02T15:17:02.877Z and was last modified on 2026-07-09T13:21:57.180Z. The NVD entry is currently Analyzed. The vulnerability affects UniFi Talk Application and has a CVSS score of 9.9. The evidence is based on the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T15:17:02.877Z and has not been modified since then.