CVE-2026-0854 HIGH

CVE-2026-0854: Merit LILIN|NVR - OS Command Injection

Vendor Merit Lilin
Product DH032
Weakness CWE-78
Published January 12, 2026
Last update January 12, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.

Key dates

02Disclosure timeline

January 12, 2026 CVE published
January 12, 2026 Record updated