CVE-2026-42370
published 2026-05-04CVE-2026-42370: A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
41.0th percentile
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geovision | gv-vms_firmware | < 21.0.0 | 21.0.0 |
| geovision_inc | gv-vms_v20.0.2 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
GeoVision GV-VMS V20.0.2 up to 20.0.2 WebCam Server Login out-of-bounds write
vuldb·2026-06-15·CVSS 9.8
CVE-2026-42370 [CRITICAL] GeoVision GV-VMS V20.0.2 up to 20.0.2 WebCam Server Login out-of-bounds write
A vulnerability identified as critical has been detected in GeoVision GV-VMS V20.0.2 up to 20.0.2. This affects an unknown function of the component WebCam Server Login. The manipulation leads to out-of-bounds write.
This vulnerability is traded as CVE-2026-42370. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
GHSA-93mj-8jh7-m3mh: A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20
ghsa_unreviewed·2026-05-04
CVE-2026-42370 [CRITICAL] CWE-787 GHSA-93mj-8jh7-m3mh: A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published