EUVD-2026-26864CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf
The call to sscanf at [1] to split the Buffer variable into the username and password variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds 40 characters (the size the stack variables username and password) then a stack overflow will occur.
The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service.
AnalysisAI
Remote code execution in GeoVision GV-VMS V20 20.0.2 allows unauthenticated attackers to execute arbitrary code as SYSTEM via stack overflow in WebCam Server Login functionality. A specially crafted HTTP request with oversized username or password fields (exceeding 40 characters) triggers unconstrained sscanf buffer handling. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all instances of GeoVision GV-VMS V20 20.0.2 in production and isolate affected systems from direct internet exposure using firewall rules that block external access to WebCam Server ports. Within 7 days: Contact GeoVision support to confirm patch availability timeline and evaluate upgrade feasibility to patched versions; implement network segmentation to restrict internal access to administrative interfaces. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today