Aggregates CVE and security vulnerability intelligence across all geovision-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact file overwrite, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-7372 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.0 | 0.17% | 2026-05-04 | 2026-05-05 |
| CVE-2026-7371 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 7.4 | 0.04% | 2026-05-04 | 2026-05-05 |
| CVE-2026-7161 | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcaste | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.3 | 0.05% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42370 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.0 | 0.17% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42368 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.9 | 0.03% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42367 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 6.5 | 0.02% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42366 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 7.4 | 0.04% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42365 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 8.6 | 0.06% | 2026-05-04 | 2026-05-05 |
| CVE-2026-42364 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | 0df08a0e-a200-4957-9bb0-084f562506f9 | 9.9 | 0.18% | 2026-05-04 | 2026-05-05 |
| CVE-2024-12553 | GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vuln | [email protected] | 6.5 | 0.16% | 2024-12-13 | 2025-08-14 |
| CVE-2024-11120 KEV | Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. | [email protected] | 9.8 | 66.14% | 2024-11-15 | 2025-10-30 |
| CVE-2024-6047 KEV | Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | [email protected] | 9.8 | 72.97% | 2024-06-17 | 2025-10-30 |
| CVE-2022-46070 | GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path. | [email protected] | 7.5 | 0.10% | 2024-03-11 | 2025-09-18 |
| CVE-2023-3638 | In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. | [email protected] | 9.8 | 0.16% | 2023-07-19 | 2024-11-21 |
| CVE-2023-23059 | An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges. | [email protected] | 9.8 | 0.77% | 2023-05-04 | 2025-01-29 |
| CVE-2020-3931 | Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command. | [email protected] | 9.8 | 1.73% | 2020-07-08 | 2024-11-21 |
| CVE-2020-3930 | GeoVision Door Access Control device family improperly stores and controls access to system logs, any users can read these logs. | [email protected] | 4.0 | 0.05% | 2020-06-12 | 2024-11-21 |
| CVE-2019-13408 | A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication. | [email protected] | 7.5 | 0.53% | 2019-08-29 | 2024-11-21 |
| CVE-2019-13407 | A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly. | [email protected] | 6.1 | 0.42% | 2019-08-29 | 2024-11-21 |
| CVE-2019-11064 | A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230. An attacker can export system configuration which is not encrypted to get the administrator’s account and password in plain text via cgibin/ExportSettings.cgi?Export=1 without any authentication. | [email protected] | 9.8 | 0.46% | 2019-08-29 | 2024-11-21 |