Mi
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Mi product.
RSS Feeds for Mi security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Mi products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Mi Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Mi. Mi did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 10 | 9.23 |
| 2023 | 5 | 7.74 |
| 2022 | 12 | 7.36 |
| 2021 | 2 | 5.40 |
| 2020 | 3 | 0.00 |
| 2019 | 4 | 7.57 |
| 2018 | 1 | 8.80 |
It may take a day or so for new Mi vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mi Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-45348 | Sep 23, 2024 |
Xiaomi Router AX9000 RCE via Post-Authorization Command InjectionXiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code. |
Ax9000 Firmware
|
| CVE-2023-26324 | Aug 28, 2024 |
XiaomiGetApps Code Exec via Verification Logic BypassA code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. |
Getapps
|
| CVE-2023-26323 | Aug 28, 2024 |
Xiaomi App Market Unsafe Config: Remote Code Execution (CVE-2023-26323)A code execution vulnerability exists in the Xiaomi App market product. The vulnerability is caused by unsafe configuration and can be exploited by attackers to execute arbitrary code. |
App Market
|
| CVE-2023-26322 | Aug 28, 2024 |
XiaomiGetApps Code Exec via Verif BypassA code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. |
Getapps
|
| CVE-2023-26321 | Aug 28, 2024 |
Xiaomi FileMgr path traversal allows code executionA path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file. |
File Manager
|
| CVE-2023-26315 | Aug 26, 2024 |
Xiaomi AX9000 Post-Auth Cmd Injection via Unfiltered InputThe Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device. |
Ax9000 Firmware
|
| CVE-2024-37663 | Jun 17, 2024 |
Redmi RB03 v1.0.57 ICMP Redirect Forgery VulnerabilityRedmi router RB03 v1.0.57 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages. |
Redmi Ax6s Firmware
|
| CVE-2024-37664 | Jun 17, 2024 |
Redmi RB03 v1.0.57 TCP DoS via forged RST messagesRedmi router RB03 v1.0.57 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router. |
Redmi Ax6s Firmware
|
| CVE-2024-4405 | May 02, 2024 |
CVE-2024-4405: Xiaomi Pro 13 Manual-Upgrade XSS RCE VulnerabilityXiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the manual-upgrade.html file. When parsing the manualUpgradeInfo parameter, the process does not properly sanitize user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22379. |
Xiaomi 13 Pro Firmware
|
| CVE-2024-4406 | May 02, 2024 |
Xiaomi Pro13 GetApps integral-dialog-page XSS RCE VulnerabilityXiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the integral-dialog-page.html file. When parsing the integralInfo parameter, the process does not properly sanitize user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22332. |
Xiaomi 13 Pro Firmware
|
| CVE-2023-26320 | Oct 11, 2023 |
Xiaomi Router Command Injection via Improper Shell EscapingImproper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. |
Xiaomi Router Ax3200 Firmware
|
| CVE-2023-26319 | Oct 11, 2023 |
Xiaomi Router Cmd Injection via Unsafe Cmd ExecutionImproper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. |
Xiaomi Router Ax3200 Firmware
|
| CVE-2023-26316 | Aug 02, 2023 |
Xiaomi Cloud Service WebView XSS via JS Protocol InjectionA XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies. |
Xiaomi Cloud
|
| CVE-2023-26317 | Aug 02, 2023 |
Xiaomi Router External Interface Command InjectionXiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. |
Xiaomi Router Firmware
|
| CVE-2020-14140 | Mar 29, 2023 |
Xiaomi Router Firmware Unauth API Exposes WIFI PasswordWhen Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection. |
Xiaomi Router Firmware
|
| CVE-2020-14129 | Oct 11, 2022 |
Xiaomi IoT Device ID Verification Failure Allows Brief Elevation of PrivilegeA logic vulnerability exists in a Xiaomi product. The vulnerability is caused by an identity verification failure, which can be exploited by an attacker who can obtain a brief elevation of privilege. |
Xiaomi
|
| CVE-2020-14131 | Oct 11, 2022 |
Xiaomi Mi Security Center CVE-2020-14131 VulnerabilityThe Xiaomi Security Center expresses heartfelt thanks to ADLab of VenusTech ! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life. |
Xiaomi
|
| CVE-2020-14126 | Jul 22, 2022 |
Information leakage vulnerability exists in the Mi Sound APPInformation leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information. |
Sound
|
| CVE-2020-14114 | Jul 22, 2022 |
information leakage vulnerability exists in the Xiaomi SmartHome APPinformation leakage vulnerability exists in the Xiaomi SmartHome APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information. |
Smarthome
|
| CVE-2020-14123 | Apr 22, 2022 |
There is a pointer double free vulnerability in Some MIUI ServicesThere is a pointer double free vulnerability in Some MIUI Services. When a function is called, the memory pointer is copied to two function modules, and an attacker can cause the pointer to be repeatedly released through malicious operations, resulting in the affected module crashing and affecting normal functionality, and if successfully exploited the vulnerability can cause elevation of privileges. |
Miui
|
| CVE-2020-14116 | Apr 21, 2022 |
An intent redirection vulnerability in the Mi Browser productAn intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this. |
Mi Browser
|
| CVE-2020-14117 | Apr 21, 2022 |
A improper permission configuration vulnerability in Xiaomi Content Center APPA improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of the Xiaomi content center APP. |
Content Center
|
| CVE-2020-14118 | Apr 21, 2022 |
An intent redirection vulnerability in the Mi App Store productAn intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps. |
Mi App Store
|
| CVE-2020-14120 | Apr 21, 2022 |
Some Xiaomi models have a vulnerability in a certain applicationSome Xiaomi models have a vulnerability in a certain application. The vulnerability is caused by the lack of checksum when using a three-party application to pass in parameters, and attackers can induce users to install a malicious app and use the vulnerability to achieve elevated privileges, making the normal services of the system affected. |
Miui
|
| CVE-2020-14121 | Apr 21, 2022 |
A business logic vulnerability exists in Mi App StoreA business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation. |
Mi App Store
|
| CVE-2020-14122 | Apr 21, 2022 |
Some Xiaomi phones have information leakage vulnerabilitiesSome Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage. |
Miui
|
| CVE-2020-14107 | Jan 18, 2022 |
A stack overflow in the HTTP server of CastA stack overflow in the HTTP server of Cast can be exploited to make the app crash in LAN. |
Xiaomi Mirror Screen
|
| CVE-2020-14130 | Sep 16, 2021 |
Some js interfaces in the Xiaomi community were exposedSome js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 |
Xiaomi
|
| CVE-2020-14106 | Apr 08, 2021 |
The application in the mobile phoneThe application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. |
Miui
|
| CVE-2020-9530 | Mar 06, 2020 |
An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devicesAn issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54. |
Miui Firmware
|
| CVE-2019-13322 | Feb 10, 2020 |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Browser Prior to 10.4.0This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the miui.share application. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary application download. An attacker can leverage this vulnerability to execute code in the context of the user. Was ZDI-CAN-7483. |
Mi Browser
|
| CVE-2019-13321 | Feb 10, 2020 |
This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must connect to a malicious access point. The specific flaw exists within the handling of HTTP responses to the Captive Portal. A crafted HTML response can cause the Captive Portal to to open a browser to a specified location without user interaction. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7467. |
Mi Browser
|
| CVE-2019-15843 | Sep 18, 2019 |
A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or malicious file writing. |
Xiaomi Millet Firmware
|
| CVE-2018-20523 | Jun 07, 2019 |
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injectionXiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request. |
Stock Browser
|
| CVE-2019-6743 | Jun 03, 2019 |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Mi6 Browser prior to 10.4.0This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Mi6 Browser prior to 10.4.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WebAssembly.Instance method. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7466. |
Mi6 Browser
|
| CVE-2019-10875 | Apr 05, 2019 |
A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameterA URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. The portion of an https URL before the ?q= substring is not shown to the user. |
Mint Browser
Mi Browser
|
| CVE-2018-6065 | Nov 14, 2018 |
Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Mi6 Browser
|