Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42370 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-04 |
| Vendor | GeoVision |
| Product | GV-VMS V20 |
| CVSS Score | 9.0 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
Required Actions
Update GeoVision GV-VMS V20 to a patched version immediately. Until the patch is deployed, disable the “WebCam Server” feature or restrict its access to a trusted internal network only. Monitor GV-VMS instances for unusual HTTP requests to login endpoints and unexpected process restarts.
Who Is Affected?
This vulnerability affects GV-VMS V20 by GeoVision (version 20.0.2). Check whether your organization uses this application and deploy mitigations without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
