{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4476", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-19T20:46:23.654Z", "datePublished": "2026-03-20T06:32:10.497Z", "dateUpdated": "2026-03-20T06:32:10.497Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-20T06:32:10.497Z"}, "title": "Yi Technology YI Home Camera CGI Endpoint ipc missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "Yi Technology", "product": "YI Home Camera", "versions": [{"version": "2 2.1.1_20171024151200", "status": "affected"}], "modules": ["CGI Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-19T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-19T21:51:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0rbitingZer0 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.351766", "name": "VDB-351766 | Yi Technology YI Home Camera CGI Endpoint ipc missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.351766", "name": "VDB-351766 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.773070", "name": "Submit #773070 | yitechnology YI Home Camera 2 2.1.1_20171024151200 Unauthenticated-CGI-Endpoints", "tags": ["third-party-advisory"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-4476", "lastModified": "2026-03-20T07:16:14.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-20T07:16:14.260", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351766"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351766"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.773070"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T08:22:09.885511+00:00", "value": {"mitigation_remediation": ["Check for an official firmware patch or update from Yi Technology.", "Restrict local network access to the camera using firewall rules or VLAN isolation.", "Disable or block the home/web/ipc CGI endpoint if the camera firmware allows configuration of accessible endpoints.", "Monitor network traffic for abnormal activity targeting the camera\u2019s IP address.", "Apply general IoT security best practices such as regular firmware updates and device segmentation."], "summary": {"action": "Restrict Access", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Yi Technology YI Home Camera running firmware version 2 2.1.1_20171024151200. The specific affected file is home/web/ipc within the CGI component; no other versions are listed.", "description_and_impact": "A missing authentication flaw exists in the home/web/ipc CGI endpoint of the Yi Technology YI Home Camera. The flaw allows an attacker who has local network access to manipulate the endpoint without authenticating, thereby bypassing security controls. This leads to unauthorized access and potential compromise of the device, exposing confidential content or allowing further exploitation. The weakness is identified by CWE\u2011287 (Improper Authentication) and CWE\u2011306 (Missing Authentication at Restricted Function).", "risk_and_exploitability": "The CVSS score is 5.3 indicating moderate severity. EPSS data is unavailable, and the issue is not listed in CISA\u2019s KEV catalog. The attack vector requires access to the local network, but an exploit is publicly available, raising the likelihood of compromise for networks that expose the camera. The overall risk remains moderate to high for environments where the device is not properly isolated or protected."}}}}, "created": "2026-03-20T10:37:00.033617+00:00", "updated": "2026-03-20T10:37:00.033677+00:00", "vendors": []}