cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote malicious users to execute arbitrary code via crafted HTTP requests.
nuuo nvrmini2_firmware