Skip to main content

Gv Lpclpc2011 2211

10 CVEs product

Monthly

CVE-2026-57881 CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Buffer Overflow Denial Of Service Stack Overflow Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-57880 CRITICAL Act Now

Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.

RCE Buffer Overflow Denial Of Service Stack Overflow Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57879 CRITICAL Act Now

Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Buffer Overflow Denial Of Service Stack Overflow Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57878 CRITICAL Act Now

Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.

RCE Buffer Overflow Denial Of Service Stack Overflow Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57877 HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-57876 HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote, unauthenticated attackers crash the device by sending a crafted HTTP request to onvif.cgi. The ONVIF CGI handler fails to bounds-check HTTP request body data, so oversized input triggers an out-of-bounds write and memory corruption. No public exploit identified at time of analysis, and the flaw yields availability impact only — no code execution or data disclosure is claimed by the vendor.

Buffer Overflow Denial Of Service Memory Corruption Gv Lpclpc2011 2211
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57875 HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. No public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact - only availability.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2026-57874 HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-capture devices (firmware V1.12 and earlier) allows remote unauthenticated attackers to crash the device by sending a multipart upload request with an overly long filename to IEEE8021x_upload.cgi. The flaw is a classic stack/heap buffer overflow (CWE-120) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Gv Lpclpc2011 2211
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57873 HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate cameras (firmware V1.12 and earlier) lets remote unauthenticated attackers crash the IEEE8021x_upload.cgi process by sending a malformed multipart upload request, triggering a NULL pointer dereference (CWE-476). The high availability impact (CVSS 7.5, A:H) means the device's 802.1x certificate-upload functionality - and potentially the management interface - becomes unavailable until the process or device restarts. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57872 HIGH This Week

Arbitrary file read in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition appliances (firmware V1.12 and earlier) lets a remote, unauthenticated attacker traverse the filesystem via the get_fcont.cgi endpoint and retrieve any file readable by the CGI process. Because the CGI fails to validate the user-supplied file path, a single crafted HTTP request can disclose configuration files, credentials, or other sensitive data. There is no public exploit identified at time of analysis, but the network-reachable, no-authentication nature (CVSS 7.5) makes it straightforward to weaponize.

Information Disclosure Path Traversal Gv Lpclpc2011 2211
NVD
CVSS 3.1
7.5
EPSS
1.0%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Buffer Overflow Denial Of Service +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.

RCE Buffer Overflow Denial Of Service +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Buffer Overflow Denial Of Service +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.

RCE Buffer Overflow Denial Of Service +2
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote, unauthenticated attackers crash the device by sending a crafted HTTP request to onvif.cgi. The ONVIF CGI handler fails to bounds-check HTTP request body data, so oversized input triggers an out-of-bounds write and memory corruption. No public exploit identified at time of analysis, and the flaw yields availability impact only — no code execution or data disclosure is claimed by the vendor.

Buffer Overflow Denial Of Service Memory Corruption +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. No public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact - only availability.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-capture devices (firmware V1.12 and earlier) allows remote unauthenticated attackers to crash the device by sending a multipart upload request with an overly long filename to IEEE8021x_upload.cgi. The flaw is a classic stack/heap buffer overflow (CWE-120) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate cameras (firmware V1.12 and earlier) lets remote unauthenticated attackers crash the IEEE8021x_upload.cgi process by sending a malformed multipart upload request, triggering a NULL pointer dereference (CWE-476). The high availability impact (CVSS 7.5, A:H) means the device's 802.1x certificate-upload functionality - and potentially the management interface - becomes unavailable until the process or device restarts. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Null Pointer Dereference Gv Lpclpc2011 2211
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition appliances (firmware V1.12 and earlier) lets a remote, unauthenticated attacker traverse the filesystem via the get_fcont.cgi endpoint and retrieve any file readable by the CGI process. Because the CGI fails to validate the user-supplied file path, a single crafted HTTP request can disclose configuration files, credentials, or other sensitive data. There is no public exploit identified at time of analysis, but the network-reachable, no-authentication nature (CVSS 7.5) makes it straightforward to weaponize.

Information Disclosure Path Traversal Gv Lpclpc2011 2211
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy