What is the CVSS score of CVE-2026-42369?

CVE-2026-42369 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of GV-VMS V20 are affected by CVE-2026-42369?

GeoVision GV-VMS V20 WebCam Server is vulnerable to unauthenticated remote code execution with a CVSS 10.0 severity rating, allowing attackers to execute arbitrary code with SYSTEM-level privileges…

GV-VMS V20 CVE-2026-42369

EUVD-2026-26860 CRITICAL

Out-of-bounds Write (CWE-787)

2026-05-04 GV

RCE Buffer Overflow Memory Corruption

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 04, 2026 - 01:47 vuln.today

EUVD ID Assigned

May 04, 2026 - 01:15 euvd

EUVD-2026-26860

Analysis Generated

May 04, 2026 - 01:15 vuln.today

CVE Published

May 04, 2026 - 00:47 nvd

CRITICAL 10.0

DescriptionNVD

GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely.

Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the gvapi endpoint uses its own authentication mechanism via an HTTP Authorization header. It supports both Basic authentication and the Digest modes of authentication. #### Stack-overflow via unbound copy of base64 decoded string

The b64decoder string is sized dynamically, but it is then copied to the Buffer stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the Buffer variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.

AnalysisAI

Remote unauthenticated code execution in GeoVision GV-VMS V20 WebCam Server allows attackers to execute arbitrary code as SYSTEM via stack buffer overflow. The gvapi endpoint bypasses standard authentication and copies base64-decoded HTTP Authorization headers into a 256-byte stack buffer without bounds checking, enabling full stack control. …

RemediationAI

Within 24 hours: Isolate all GeoVision GV-VMS V20 WebCam Server instances from untrusted networks; disable or restrict access to the gvapi endpoint via network firewall rules; document all affected systems and their network locations. Within 7 days: Implement network segmentation to limit WebCam Server exposure; deploy intrusion detection/prevention signatures for gvapi exploit patterns; establish continuous monitoring for unauthorized access attempts; contact GeoVision for patch availability and timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42369 vulnerability details – vuln.today

Back

GV-VMS V20 CVE-2026-42369

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code