Medium
CVSS: 5.1
The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerabili…
Medium
CVSS: 5.1
The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted co…
Medium
CVSS: 5.1
Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because…
Medium
CVSS: 6.5
Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing mechanism via a crafted folder name. NOTE: this is disputed by the Supplier because a crafted folder name would arise only if the…
Medium
CVSS: 6.3
An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior that supports redirection to Al…
Medium
CVSS: 5.3
An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components.
Medium
CVSS: 5.4
An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge).
Medium
CVSS: 6.5
Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. NOTE: this is disputed by the Supplier because it is intentional behavior to ensure a predictable user experienc…
Medium
CVSS: 6.5
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is…
Medium
CVSS: 6.1
A cross-site scripting (XSS) vulnerability in the valuateJavascript() function of Reolink v4.54.0.4.20250526 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Critical
CVSS: 9.8
Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse enginee…