CVE-2026-4860
Published: 26 March 2026
Summary
CVE-2026-4860 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by enforcing validation of untrusted inputs to the API endpoint before processing.
Prevents remote exploitation by implementing boundary protections such as firewalls or network segmentation to restrict access to the vulnerable API endpoint.
Addresses the flaw by requiring monitoring for patches or upgrades beyond version 2.7.4 to remediate the deserialization issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization RCE in exposed API endpoint directly enables T1190 (Exploit Public-Facing Application).
NVD Description
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The…
more
exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4860 is a deserialization vulnerability in the wvp-GB28181-pro software up to version 2.7.4. The flaw resides in the GenericFastJsonRedisSerializer function within the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java, part of the API Endpoint component. It stems from improper input validation (CWE-20) and deserialization of untrusted data (CWE-502), earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation enables partial compromise of confidentiality, integrity, and availability through arbitrary deserialization, potentially leading to code execution or other impacts depending on the payload.
Advisories from VulDB and a GitHub issue in the wing3e/public_exp repository detail the vulnerability but note no vendor response despite early disclosure contact. No patches or official mitigations are available; practitioners should consider upgrading beyond version 2.7.4 if possible, restricting API Endpoint access, or implementing network segmentation and input validation as interim measures.
A public exploit has been released, increasing the risk of real-world attacks against exposed instances of this software.
Details
- CWE(s)