Skip to main content

GeoVision LPC2011/LPC2211 CVE-2026-42366

| EUVDEUVD-2026-26857 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-04 GV
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 01:47 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26857
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:42 nvd
HIGH 7.4

DescriptionCVE.org

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.

AnalysisAI

Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability achieves scope change (S:C in CVSS), enabling access to high-confidentiality data across security contexts despite requiring user interaction. No public exploit code or CISA KEV listing identified at time of analysis, though vendor advisory confirms the flaw. EPSS data not available. The RCE tag appears to be a mislabeling - this is strictly client-side JavaScript execution (XSS), not server-side remote code execution.

Technical ContextAI

GeoVision LPC2011/LPC2211 are IP-based license plate capture cameras with embedded web interfaces for device management. The vulnerability resides in the ssi.cgi component (Server Side Include CGI handler), which fails to sanitize user-supplied input before reflecting it in HTTP responses. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application accepts untrusted data and includes it in dynamically generated web content without validation or encoding. The CPE string (cpe:2.3:a:geovision_inc.:gv-lpc2011/lpc2211:*:*:*:*:*:*:*:*) confirms all versions are affected, with the description specifying firmware version 1.10. Reflected XSS differs from stored XSS in that the malicious payload is not persisted on the server but instead delivered through the attack vector itself (URL parameters in this case), requiring social engineering to deliver the crafted link to victims. The CVSS scope change metric (S:C) indicates the JavaScript executes in a context that can access resources beyond the vulnerable application itself, likely due to session tokens or cookies shared across GeoVision's web interface domains.

RemediationAI

Upgrade to patched firmware per GeoVision's security advisory at https://www.geovision.com.tw/cyber_security.php - the advisory should specify the fixed version, which is not independently confirmed in available CVE data. Until patching is complete, implement defense-in-depth controls: restrict web interface access to trusted management VLANs or VPN-only connections using firewall rules (blocks attack vector but impacts remote administration); disable the ssi.cgi endpoint if functionality is not operationally required (may break certain web interface features - test in non-production first); deploy web application firewall rules to detect and block common XSS patterns in URLs targeting the affected cameras, though this is bypassable with encoding techniques; enforce Content Security Policy headers via reverse proxy if cameras sit behind centralized management infrastructure (requires additional infrastructure). For cameras exposed to semi-trusted users (e.g., building security staff), implement security awareness training on recognizing malicious URLs and prohibit following links from untrusted sources when accessing camera interfaces. Monitor web server logs for unusual ssi.cgi requests with encoded JavaScript or event handlers. Note that XSS mitigations do not prevent exploitation if attackers achieve authenticated access through other means - this is strictly a perimeter defense strategy.

Share

CVE-2026-42366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy