Cyber Resilience

CVE-2026-42366

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0005 15.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42366 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Geovision Gv-Lpc2011 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-42366, published on 2026-05-04, describes multiple reflected cross-site scripting (XSS) vulnerabilities in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted malicious URL can lead to arbitrary JavaScript code execution when processed by the affected component. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) and maps to CWE-79.

A remote attacker requires no privileges and can exploit this vulnerability over the network with low complexity by providing a crafted URL to a targeted user. Exploitation depends on user interaction, such as visiting the malicious URL in a browser, which triggers the reflected XSS payload. Successful execution runs arbitrary JavaScript in the victim's browser context, potentially leading to high confidentiality impacts like session hijacking or data exfiltration due to the changed scope (S:C).

Mitigation guidance and additional details are available in advisories from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision's cyber security page at https://www.geovision.com.tw/cyber_security.php.

EU & UK References

Vulnerability details

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger…

more

this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS in public web interface directly enables client-side JS execution (T1059.007) via crafted malicious URL (T1204.001, T1190). Payload facilitates session cookie theft (T1539) for hijacking authenticated access to the device.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7371Same product: Geovision Gv-Lpc2011
CVE-2026-42365Same product: Geovision Gv-Lpc2011
CVE-2026-42364Same product: Geovision Gv-Lpc2011
CVE-2026-42368Same product: Geovision Gv-Lpc2011
CVE-2025-28877Shared CWE-79
CVE-2026-25342Shared CWE-79
CVE-2024-47140Shared CWE-79
CVE-2025-23538Shared CWE-79
CVE-2026-27099Shared CWE-79
CVE-2025-12716Shared CWE-79

Affected Assets

geovision
gv-lpc2011 firmware
1.10
geovision
gv-lpc2211 firmware
1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters output from the ssi.cgi web interface to prevent reflection of malicious JavaScript payloads in user responses, directly mitigating reflected XSS execution.

prevent

Validates inputs to the ssi.cgi functionality to reject specially crafted URLs containing XSS payloads before processing.

prevent

Requires timely remediation of the identified XSS flaw in GeoVision LPC2011/LPC2211 1.10 via patching or updates.

References