geovision 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥 and vendor risk cross-site scripting などに関し、一部は ファイル上書き を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-7372 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.0 | 0.46% | 2026-05-03 | 2026-06-17 |
| CVE-2026-7371 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 7.4 | 0.20% | 2026-05-03 | 2026-06-17 |
| CVE-2026-7161 | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcaste | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.3 | 0.19% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42370 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.0 | 0.45% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42368 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.9 | 0.31% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42367 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 6.5 | 0.27% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42366 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 7.4 | 0.20% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42365 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 8.6 | 0.30% | 2026-05-03 | 2026-06-17 |
| CVE-2026-42364 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.9 | 1.61% | 2026-05-03 | 2026-06-17 |
| CVE-2018-25118 | GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC. | [email protected] | 10.0 | 1.32% | 2025-10-20 | 2026-06-16 |
| CVE-2024-12553 | GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vuln | [email protected] | 6.5 | 0.57% | 2024-12-13 | 2026-06-17 |
| CVE-2024-11120 KEV | Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. | [email protected] | 9.8 | 28.55% | 2024-11-14 | 2026-06-17 |
| CVE-2024-6047 KEV | Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | [email protected] | 9.8 | 10.07% | 2024-06-17 | 2026-06-17 |
| CVE-2022-46070 | GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path. | [email protected] | 7.5 | 0.45% | 2024-03-11 | 2026-06-17 |
| CVE-2023-3638 | In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. | [email protected] | 9.8 | 0.58% | 2023-07-19 | 2026-06-17 |
| CVE-2023-23059 | An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges. | [email protected] | 9.8 | 1.48% | 2023-05-04 | 2026-07-08 |
| CVE-2020-3931 | Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command. | [email protected] | 9.8 | 1.77% | 2020-07-08 | 2026-06-16 |
| CVE-2020-3930 | GeoVision Door Access Control device family improperly stores and controls access to system logs, any users can read these logs. | [email protected] | 4.0 | 0.30% | 2020-06-12 | 2026-06-16 |
| CVE-2019-13408 | A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication. | [email protected] | 7.5 | 1.91% | 2019-08-28 | 2026-06-16 |
| CVE-2019-13407 | A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly. | [email protected] | 6.1 | 1.05% | 2019-08-28 | 2026-06-16 |