Description
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.
Published: 2026-05-04
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the ssi.cgi component of the GeoVision LPC2011/LPC2211 web interface. A specially crafted URL triggers JavaScript execution via the error message returned for a non‑existent page. The flaw enables an attacker to run arbitrary JavaScript within the camera’s web page context.

Affected Systems

GeoVision Inc. GV‑LPC2011/LPC2211 devices running firmware version 1.10, and potentially 1.20, are affected. The vendor has released firmware V1.12‑260330 that addresses the issue, so any device with earlier firmware should be updated.

Risk and Exploitability

The CVSS score is 7.4, no EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by sending a crafted HTTP GET request to the ssi.cgi endpoint; the victim only needs to visit the malicious URL. The attack vector is web‑based and does not require privileged device access, indicating a high potential for exploitation.

Generated by OpenCVE AI on May 4, 2026 at 02:51 UTC.

Remediation

Vendor Solution

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.  The user may visit GeoVision website or contact GeoVision Support team for firmware update.

OpenCVE Recommended Actions

  • Apply the GeoVision GV‑LPC2011/LPC2211 V1.12‑260330 firmware update to eliminate the flaw
  • If an immediate update is not possible, disable the web interface or restrict it to trusted local hosts until the update can be applied
  • Deploy a web application firewall or URL filter to block requests containing script tags targeting the ssi.cgi endpoint

Generated by OpenCVE AI on May 4, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page.
Title GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities
First Time appeared Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
Weaknesses CWE-79
CPEs cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.10:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.20:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Geovision Inc. Gv-lpc2011 Lpc2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:43:05.061Z

Reserved: 2026-04-28T22:53:06.123Z

Link: CVE-2026-7371

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:04.590

Modified: 2026-05-04T01:16:04.590

Link: CVE-2026-7371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T03:00:11Z

Weaknesses