HIGHCVE-2026-0854Published Modified CNA twcert
CVE-2026-0854: Merit LILIN|NVR - OS Command Injection
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 20
Affected packages
- Merit LILIN / DH032≤ 1.0.28.3858
- Merit LILIN / DVR708≤ 1.3.4
- Merit LILIN / DVR716≤ 1.3.4
- Merit LILIN / DVR804≤ 1.3.4
- Merit LILIN / DVR808≤ 1.3.4
- Merit LILIN / DVR816≤ 1.3.4
- Merit LILIN / NVR100L≤ 1.1.66
- Merit LILIN / NVR200L≤ 1.1.66
- Merit LILIN / NVR400L≤ 1.1.66
- Merit LILIN / NVR1400L≤ 1.1.66
- Merit LILIN / NVR2400L≤ 1.1.66
- Merit LILIN / NVR3216≤ 2.0.74.3921
- Merit LILIN / NVR3416≤ 2.0.74.3921
- Merit LILIN / NVR3416r≤ 2.0.74.3921
- Merit LILIN / NVR3816≤ 2.0.74.3921
- Merit LILIN / NVR5832≤ 4.0.24.4043
- Merit LILIN / NVR5832S≤ 4.0.24.4043
- Merit LILIN / NVR5104E≤ 4.0.24.4078
- Merit LILIN / NVR5208E≤ 4.0.24.4078
- Merit LILIN / NVR5416E≤ 4.0.24.4078
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences