Which versions of GALAYOU Y4 are affected by CVE-2026-12192?

GALAYOU Y4 v1.0.0 devices connected to internal networks are vulnerable to remote compromise with publicly available exploit code and no vendor patch forthcoming.

How to fix or mitigate CVE-2026-12192?

Within 24 hours: Complete asset inventory of all GALAYOU Y4 v1.0.0 deployments and map network exposure; segregate vulnerable devices to isolated VLANs or dedicated network segments. Within 7 days: Deploy network-based detection rules for buffer overflow exploitation attempts; implement access control lists restricting inbound and outbound traffic to/from affected devices. Within 30 days: Execute remediation-upgrade to patched device models or decommission; if retention required, maintain strict network segregation and enhanced monitoring as permanent controls.

GALAYOU Y4 CVE-2026-12192

Q: What is the CVSS score of CVE-2026-12192?

CVE-2026-12192 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-36671 HIGH

Classic Buffer Overflow (CWE-120)

2026-06-14 VulDB

GHSA-rm6x-6fv3-45m8

Buffer Overflow Y4

7.4

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

7.4 HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Adjacent-network web request, no auth or user interaction, low complexity, and a buffer overflow in the device's own web server yields full C/I/A on the camera with no scope change.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 15, 2026 - 00:29 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 15, 2026 - 00:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 15, 2026 - 00:22 vuln.today

cvss_changed

CVSS changed

Jun 15, 2026 - 00:22 NVD

8.7 (HIGH) 7.4 (HIGH)

Analysis Generated

Jun 14, 2026 - 23:58 vuln.today

DescriptionCVE.org

A vulnerability was determined in GALAYOU Y4 1.0.0. Impacted is an unknown function of the component Web Server. This manipulation causes buffer overflow. The attack is only possible within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Buffer overflow in the web server component of GALAYOU Y4 version 1.0.0 allows adjacent-network attackers to compromise the device's confidentiality, integrity, and availability without authentication. Publicly available exploit code exists per VulDB disclosure, though the vendor was contacted and did not respond, leaving the issue unpatched. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Join shared LAN or Wi-Fi

Delivery

Discover Y4 camera web port

Exploit

Send oversized HTTP request

Execution

Overflow web-server buffer

Persist

Execute code or crash device

Impact

Hijack video feed and pivot