SB2026070286 - Multiple vulnerabilities in GeoVision GeoWebPlayer



SB2026070286 - Multiple vulnerabilities in GeoVision GeoWebPlayer

Published: July 2, 2026

Security Bulletin ID SB2026070286
CSH Severity
High
Patch available
YES
Number of vulnerabilities 18
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 18 vulnerabilities.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-13125)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authentication for critical function in the Websocket Server functionality. A remote attacker can stage a malicious webpage and execute priviledged operation.


2) Improper Validation of Array Index (CVE-ID: CVE-2026-57272)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the byPass command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


3) Improper Validation of Array Index (CVE-ID: CVE-2026-57271)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the pause command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


4) Improper Validation of Array Index (CVE-ID: CVE-2026-57270)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the play command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


5) Improper Validation of Array Index (CVE-ID: CVE-2026-57269)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the disconnect command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


6) Improper Validation of Array Index (CVE-ID: CVE-2026-57268)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the saveVideo command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


7) Improper Validation of Array Index (CVE-ID: CVE-2026-57267)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the snapshot command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


8) Improper Validation of Array Index (CVE-ID: CVE-2026-57266)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the 2wayAudio command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


9) Improper Validation of Array Index (CVE-ID: CVE-2026-57265)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the audio command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


10) Improper Validation of Array Index (CVE-ID: CVE-2026-57264)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the setPIP command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


11) Improper Validation of Array Index (CVE-ID: CVE-2026-13132)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the setStream command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


12) Improper Validation of Array Index (CVE-ID: CVE-2026-13131)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper array index validation within the Websocket Server functionality in the connectInfo command. A remote attacker can can use a specially crafted webpage and execute arbitrary code on the target system.


13) Buffer overflow (CVE-ID: CVE-2026-57278)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in ip field. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


14) Buffer overflow (CVE-ID: CVE-2026-57277)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in key field. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


15) Buffer overflow (CVE-ID: CVE-2026-57276)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in password field when a key variable is provided. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


16) Buffer overflow (CVE-ID: CVE-2026-57275)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in username field when a key variable is provided. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


17) Buffer overflow (CVE-ID: CVE-2026-57274)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in password field when no key variable is provided. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


18) Buffer overflow (CVE-ID: CVE-2026-57273)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Websocket Server connectInfo handler functionality in username field when no key variable is provided. A remote attacker can can use a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.