GV-LPC-2026-04-01 GV-LPC2011/2211 V1.10 Vulnerability
Posted: May 7th, 2026, 7:31 am
Release Date: 2026/04/27
Advisory ID
GV-LPC-2026-04-01
CVE ID
CVE-2026-42364, CVE-2026-42365, CVE-2026-42366, CVE-2026-42367, CVE-2026-42368, CVE-2026-7371
Affected Product
GV-LPC2011/LPC2211 V1.10 or earlier
Security Issue
CVE-2026-42364
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
CVE-2026-42365
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.
CVE-2026-42366, CVE-2026-7371
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
CVE-2026-42367
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
CVE-2026-42368
A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute privileged operation. An attacker can visit a webpage to trigger this vulnerability.
Resolution
Reported vulnerabilities are resolved with firmware update GV-LPCV2011/2211 V1.12 and later versions which are available to download from GeoVision’s official download page at: Link
If you have any questions or concerns in regards the cybersecurity issue, please contact our cybersecurity team: security@geovision.com.tw.
Advisory ID
GV-LPC-2026-04-01
CVE ID
CVE-2026-42364, CVE-2026-42365, CVE-2026-42366, CVE-2026-42367, CVE-2026-42368, CVE-2026-7371
Affected Product
GV-LPC2011/LPC2211 V1.10 or earlier
Security Issue
CVE-2026-42364
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
CVE-2026-42365
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.
CVE-2026-42366, CVE-2026-7371
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
CVE-2026-42367
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
CVE-2026-42368
A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute privileged operation. An attacker can visit a webpage to trigger this vulnerability.
Resolution
Reported vulnerabilities are resolved with firmware update GV-LPCV2011/2211 V1.12 and later versions which are available to download from GeoVision’s official download page at: Link
If you have any questions or concerns in regards the cybersecurity issue, please contact our cybersecurity team: security@geovision.com.tw.