Description
A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot.
Published: 2026-06-26
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a design flaw in H.VIEW IP cameras that allows authenticated users to store arbitrary file content to fixed, persistent locations normally reserved for certificate material. Because the system does not validate file type, structure, or size, an attacker can overwrite certificate files with malicious data, potentially altering authentication behavior or causing unintended system behavior after reboot. This is a CWE-434 (Unrestricted Upload of File with Dangerous Type) flaw affecting system integrity.

Affected Systems

The vulnerability is present in H.VIEW HV-500S6 IP Cameras. No specific firmware or version information is listed, so all devices of this model are potentially impacted until a patch or mitigation is applied.

Risk and Exploitability

The CVSS score of 8.6 indicates a high‑severity vulnerability. There is no EPSS score or KEV listing, but the attack requires authenticated access to the camera’s certificate‑upload service. An internal attacker or a compromised account could exploit the flaw to replace critical certificate files, leading to integrity compromise or denial of service after a reboot. Because the vulnerability allows arbitrary file placement, the exploitation likelihood is significant for privileged users, and no patch is currently available.

Generated by OpenCVE AI on June 27, 2026 at 00:20 UTC.

Remediation

Vendor Workaround

H.View did not respond to CISA's request to coordinate. Users are encouraged to reach out to H.View for support. https://hviewsmart.com/pages/contact-us  https://hviewsmart.com/pages/contact-us

OpenCVE Recommended Actions

  • Restrict access to the certificate upload interface so that only trusted administrators can use it.
  • Contact H.VIEW support to request a firmware update the upload issue.
  • Implement network segmentation or firewall rules to limit external or untrusted devices from accessing the camera’s web interface.

Generated by OpenCVE AI on June 27, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malformed data in locations intended for trusted certificate material, which could affect system integrity or behavior even after reboot.
Title H.VIEW HV-500S6 IP Camera Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-26T23:00:39.958Z

Reserved: 2026-06-22T20:13:36.501Z

Link: CVE-2026-56414

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T00:30:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type