Ubiquiti UniFi CVE-2026-22557 (CVSS 10): Three Max-Severity Flaws in One Year — Your Management Plane Is the Attack Surface

CVE-2026-22557 dropped on March 18, 2026 — a CVSS 10.0 path traversal in Ubiquiti's UniFi Network Application that lets an unauthenticated attacker with network access take over any account, including admin. No credentials needed. No user interaction required. That's bad enough on its own. But here's the real story: this is the third maximum-severity vulnerability in UniFi Network Application within 12 months. That's not bad luck — that's an architectural pattern. If you run UniFi (and statistically, a lot of you do — it's the go-to for home labs, SMBs, and budget-conscious campus deployments), patch immediately and read on. What's the Vulnerability? Attribute Detail CVE CVE-2026-22557 CVSS Score 10.0 (Maximum) Type Path traversal Attack Vector Network (unauthenticated) Impact Full account takeover including admin Affected UniFi Network Application ≤ 9.0.118, ≤ 10.1.89, ≤ 10.2.97 Patched March 18, 2026 Exploited in wild? Not yet (as of March 21) The attack: send crafted requests to the