CVE-2026-42370 PUBLISHED

GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability

Assigner: GV
Reserved: 26.04.2026 Published: 04.05.2026 Updated: 04.05.2026

A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	GeoVision Inc.
Product	GV-VMS V20.0.2
Versions	Default: unaffected Version 20.0.2 is affected Version 21.0.0 is unaffected

Solutions

GeoVision GV-VMS version V21.0.0 has patched the reported vulnerability.

User is recommended to download the update from GeoVision's offical website (https://www.geovision.com.tw/download/product/GV-VMS%20V20)

or contact GeoVision Support team

Credits

Philippe Laulheret of Cisco Talos. finder
Kelly Patterson of Cisco Talos. remediation reviewer
Martin Zeiser of Cisco Talos. coordinator

References

Problem Types

CWE-787 Out-of-bounds write CWE

Impacts

CAPEC-100 Overflow Buffers
CAPEC-242 Code Injection