cvedb.io
CVE-2026-27510
CRITICAL · CVSS 9.6
EPSS exploitation probability: 0%
Published 2026-02-26T20:31:38.663 · Last modified 2026-06-17T10:27:16.740

Summary

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across r

Affected products

unitree — go2_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when unitree ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.