Description
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
Published: 2026-05-04
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple reflected cross‑site scripting (XSS) vulnerabilities are found in the ssi.cgi functionality of the GeoVision LPC2011/LPC2211 web interface. An attacker can craft a malicious URL that is reflected back to the user's browser, allowing arbitrary JavaScript execution. The flaw is a classic client‑side injection flaw, classified as CWE‑79, and can lead to session hijacking, phishing, or other malicious actions executed in the victim's context.

Affected Systems

The vulnerability affects GeoVision Inc. devices running the GV‑LPC2011/LPC2211 firmware, specifically versions 1.10 and 1.20. Firmware V1.12-260330 has been released by GeoVision with the vulnerability patched. Devices still running older firmware without the patch are at risk.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity, while the EPSS score is not available, so the exploitation likelihood remains unclear. The vulnerability is not currently listed in CISA KEV, but an attacker can exploit it remotely over the network by directing a victim to a specially crafted URL. Since the attack requires interacting with the web interface, it is most effective against externally exposed devices or users who can access the device’s web UI.

Generated by OpenCVE AI on May 4, 2026 at 02:23 UTC.

Remediation

Vendor Solution

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.  The user may visit GeoVision website or contact GeoVision Support team for firmware update.

OpenCVE Recommended Actions

  • Update the GV‑LPC2011/LPC2211 firmware to V1.12‑260330 or later to apply the vendor‑issued fix.
  • Restrict access to the device’s web interface by employing network segmentation, VPN, or firewall rules so that only trusted personnel can reach it.
  • If the web interface is not required for operation, disable or remove the ssi.cgi functionality or the entire Web interface to reduce attack surface.

Generated by OpenCVE AI on May 4, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
Title GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities
First Time appeared Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
Weaknesses CWE-79
CPEs cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.10:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.20:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Geovision Inc. Gv-lpc2011 Lpc2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:42:39.182Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42366

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:03.753

Modified: 2026-05-04T01:16:03.753

Link: CVE-2026-42366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses