CVE-2026-57872 - Vulnerability Details

- GV-LPC2011/LPC2211 - unauthorized directory traversal vulnerability (get_fcont.cgi)

Description

An unauthenticated
directory traversal vulnerability exists in get_fcont.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient validation of user-supplied file path input before the requested
file is accessed by the CGI component. A remote attacker may exploit this
vulnerability by sending a crafted request to read arbitrary files accessible
to the affected process, resulting in information disclosure.

Published: 2026-06-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated directory traversal vulnerability exists in the get_fcont.cgi component of GeoVision GV-LPC2011 and GV-LPC2211. The flaw arises because the CGI script does not properly validate the user-supplied file path before accessing the requested file, allowing an attacker to read arbitrary files that the web process can access. This exploitable weakness can expose sensitive configuration data, credentials, or other confidential files, constituting a confidentiality breach. The weakness aligns with CWE‑22, Directory Traversal.

Affected Systems

The vulnerability affects GeoVision Inc.’s GV-LPC2011 and GV-LPC2211 devices running firmware version 1.12 or older on Linux operating systems. No newer firmware versions are listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be remote, as a malicious actor can issue a crafted HTTP request to the vulnerable CGI endpoint to obtain arbitrary file contents. Because authentication is not required, any host reachable via the web interface is at risk, especially if exposed to the public Internet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GeoVision Inc.

GV-LPCLPC2011/2211

unaffected

Version	Status	Constraints
`1.12`	affected	—
`1.13`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to a version newer than 1.12 that addresses the directory traversal flaw.
If upgrading is not immediately feasible, limit external access to the GET_FCONT.CGI endpoint by configuring the web server or firewall to allow requests only from trusted internal networks or authenticated users.
Implement path validation or serve the CGI component through a secured wrapper that blocks traversal characters, preventing arbitrary file reads.

Generated by OpenCVE AI on June 26, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00969.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.geovision.com.tw/cyber_security.php

History

Fri, 26 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied file path input before the requested file is accessed by the CGI component. A remote attacker may exploit this vulnerability by sending a crafted request to read arbitrary files accessible to the affected process, resulting in information disclosure.
Title		GV-LPC2011/LPC2211 - unauthorized directory traversal vulnerability (get_fcont.cgi)
First Time appeared		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
Weaknesses		CWE-22
CPEs		cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12::linux::::: cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13::linux:::::
Vendors & Products		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
References		https://www.geovision.com.tw/cyber_security.php
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211

MITRE

Status: PUBLISHED

Assigner: GV

Published: 2026-06-26T07:17:05.315Z

Updated: 2026-06-26T15:27:13.920Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57872

Vulnrichment

Updated: 2026-06-26T15:27:08.099Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T08:30:04Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object