PexipCVEs & Vulnerabilities

46 CVEs affecting Pexip products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

pexip infinity 39infinity 5infinity connect 2reverse proxy and turn server 2virtual meeting rooms 1
CVE-2025-30080HIGH

Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort).

3 Apr 2025
7.5
CVSS
CVE-2024-37917HIGH

Pexip Infinity before 35.0 has improper input validation that allows remote attackers to trigger a denial of service (software abort) via a crafted signalling message.

3 Apr 2025
7.5
CVSS
CVE-2024-33850MEDIUM

Pexip Infinity before 34.1 has Improper Access Control for persons in a waiting room. They can see the conference roster list, and perform certain actions that should not be allowed before they are admitted to the meeting.

11 Jun 2024
4.3
CVSS
CVE-2023-40236MEDIUM

In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.

25 Dec 2023
5.3
CVSS
CVE-2023-37225MEDIUM

Pexip Infinity before 32 allows Webapp1 XSS via preconfigured links.

25 Dec 2023
6.1
CVSS
CVE-2023-31455HIGH

Pexip Infinity before 31.2 has Improper Input Validation for RTCP, allowing remote attackers to trigger an abort.

25 Dec 2023
7.5
CVSS
CVE-2023-31289HIGH

Pexip Infinity before 31.2 has Improper Input Validation for signalling, allowing remote attackers to trigger an abort.

25 Dec 2023
7.5
CVSS
CVE-2022-32263HIGH

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

18 Jul 2022
7.5
CVSS
CVE-2022-29286HIGH

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

18 Jul 2022
7.5
CVSS
CVE-2022-27937HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.

18 Jul 2022
7.5
CVSS
CVE-2022-27936HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.

18 Jul 2022
7.5
CVSS
CVE-2022-27935HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.

18 Jul 2022
7.5
CVSS
CVE-2022-27934HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

18 Jul 2022
7.5
CVSS
CVE-2022-27933HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

18 Jul 2022
8.2
CVSS
CVE-2022-27932HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

18 Jul 2022
7.5
CVSS
CVE-2022-27931HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

18 Jul 2022
7.5
CVSS
CVE-2022-27930MEDIUM

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

18 Jul 2022
5.9
CVSS
CVE-2022-27929HIGH

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.

18 Jul 2022
7.5
CVSS
CVE-2022-27928HIGH

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

18 Jul 2022
7.5
CVSS
CVE-2022-26657HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

18 Jul 2022
7.5
CVSS
CVE-2022-26656HIGH

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

18 Jul 2022
8.2
CVSS
CVE-2022-26655HIGH

Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.

18 Jul 2022
7.5
CVSS
CVE-2022-26654HIGH

Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.

18 Jul 2022
7.5
CVSS
CVE-2022-25357MEDIUM

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

18 Jul 2022
5.3
CVSS
CVE-2022-23228HIGH

Pexip Infinity before 27.0 has improper WebRTC input validation. An unauthenticated remote attacker can use excessive resources, temporarily causing denial of service.

19 Feb 2022
7.5
CVSS
CVE-2021-29656CRITICAL

Pexip Infinity Connect before 1.8.0 mishandles TLS certificate validation. The allow list is not properly checked.

19 Feb 2022
9.8
CVSS
CVE-2021-29655CRITICAL

Pexip Infinity Connect before 1.8.0 omits certain provisioning authenticity checks. Thus, untrusted code may execute.

19 Feb 2022
9.8
CVSS
CVE-2021-42555HIGH

Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

15 Jan 2022
7.5
CVSS
CVE-2021-35969HIGH

Pexip Infinity before 26 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

15 Jan 2022
7.5
CVSS
CVE-2021-33499HIGH

Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2).

15 Jan 2022
7.5
CVSS
CVE-2021-33498HIGH

Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2).

15 Jan 2022
7.5
CVSS
CVE-2021-32545HIGH

Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation.

15 Jan 2022
7.5
CVSS
CVE-2021-31925HIGH

Pexip Infinity 25.x before 25.4 has Improper Input Validation, and thus an unauthenticated remote attacker can cause a denial of service via the administrative web interface.

7 Jul 2021
7.5
CVSS
CVE-2020-25868HIGH

Pexip Infinity 22.x through 24.x before 24.2 has Improper Input Validation for call setup. An unauthenticated remote attacker can trigger a software abort (temporary loss of service).

7 Jul 2021
7.5
CVSS
CVE-2020-24615MEDIUM

Pexip Infinity before 24.1 has Improper Input Validation, leading to temporary denial of service via SIP.

25 Sep 2020
5.3
CVSS
CVE-2020-13387HIGH

Pexip Infinity before 23.4 has a lack of input validation, leading to temporary denial of service via H.323.

25 Sep 2020
7.5
CVSS
CVE-2020-12824HIGH

Pexip Infinity 23.x before 23.3 has improper input validation, leading to a temporary software abort via RTP.

25 Sep 2020
7.5
CVSS
CVE-2020-11805CRITICAL

Pexip Reverse Proxy and TURN Server before 6.1.0 has Incorrect UDP Access Control via TURN.

25 Sep 2020
9.8
CVSS
CVE-2019-7178HIGH

Pexip Infinity before 20.1 allows privilege escalation by restoring a system backup.

25 Sep 2020
7.2
CVSS
CVE-2019-7177HIGH

Pexip Infinity before 20.1 allows Code Injection onto nodes via an admin.

25 Sep 2020
7.2
CVSS
CVE-2018-10585HIGH

Pexip Infinity before 18 allows remote Denial of Service (XML parsing).

25 Sep 2020
7.5
CVSS
CVE-2018-10432HIGH

Pexip Infinity before 18 allows Remote Denial of Service (TLS handshakes in RTMP).

25 Sep 2020
7.5
CVSS
CVE-2017-17477MEDIUM

Pexip Infinity before 17 allows an unauthenticated remote attacker to achieve stored XSS via management web interface views.

25 Sep 2020
6.1
CVSS
CVE-2015-4719CRITICAL

The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.

24 Sep 2020
9.8
CVSS
CVE-2017-6551CRITICAL

Pexip Infinity before 14.2 allows remote attackers to cause a denial of service (service restart) or execute arbitrary code via vectors related to Conferencing Nodes.

2 May 2017
9.8
CVSS
CVE-2014-8779HIGH

Pexip Infinity before 8 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof Management and Conferencing Nodes by leveraging these keys.

3 Feb 2015
7.1
CVSS
← PrevPage 1 / 1Next →