Command Injection Vulnerability in Crestron Devices
CVE-2026-7865

7.4HIGH

Key Information:

Vendor: Crestron Electronics
Status: ToucHPanels (x60/x70)
Vendor: CVE Published:; 5 May 2026

🔔 Create Crestron Electronics Vulnerability Alert

What is CVE-2026-7865?

A command injection vulnerability exists within Crestron Touchpanel devices due to improper handling of control characters in console commands. Authenticated users with SSH access can exploit this flaw by passing specially crafted input to the affected functions, enabling them to execute arbitrary operating system commands. This security issue underlines the importance of ensuring strict validation and sanitization of user inputs to mitigate the risk of unauthorized command execution.

Affected Version(s)

Touchpanels (x60/x70) 3.002.0043.001 <= 3.003.0015.001

References

https://www.crestron.com/Software-Firmware/Firmware/Touch...

patch

https://www.crestron.com/release_notes/tsw-xx70_3.003.001...

release-notes

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-7865 Data

JSON