Cyber Posture

CVE-2026-42366

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0004 12.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger…

more

this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Filters output from the ssi.cgi web interface to prevent reflection of malicious JavaScript payloads in user responses, directly mitigating reflected XSS execution.

SI-10 Information Input Validation good match
prevent

Validates inputs to the ssi.cgi functionality to reject specially crafted URLs containing XSS payloads before processing.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the identified XSS flaw in GeoVision LPC2011/LPC2211 1.10 via patching or updates.

Security SummaryAI

CVE-2026-42366, published on 2026-05-04, describes multiple reflected cross-site scripting (XSS) vulnerabilities in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted malicious URL can lead to arbitrary JavaScript code execution when processed by the affected component. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) and maps to CWE-79.

A remote attacker requires no privileges and can exploit this vulnerability over the network with low complexity by providing a crafted URL to a targeted user. Exploitation depends on user interaction, such as visiting the malicious URL in a browser, which triggers the reflected XSS payload. Successful execution runs arbitrary JavaScript in the victim's browser context, potentially leading to high confidentiality impacts like session hijacking or data exfiltration due to the changed scope (S:C).

Mitigation guidance and additional details are available in advisories from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision's cyber security page at https://www.geovision.com.tw/cyber_security.php.

Details

CWE(s)
CWE-79

Affected Products

geovision
gv-lpc2011 firmware
1.10
geovision
gv-lpc2211 firmware
1.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Reflected XSS in public web interface directly enables client-side JS execution (T1059.007) via crafted malicious URL (T1204.001, T1190). Payload facilitates session cookie theft (T1539) for hijacking authenticated access to the device.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References