Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-121
Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CVE-2026-11557 (GCVE-0-2026-11557)
Vulnerability from cvelistv5 – Published: 2026-06-08 18:15 – Updated: 2026-06-08 19:52
VLAI
Title
Tenda F451 Web Management Natlimit fromNatlimit stack-based overflow
Summary
A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369167 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369167/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11557 | third-party-advisory |
| https://vuldb.com/submit/836477 | third-party-advisory |
| https://github.com/Robots10/IoT_vlu/blob/main/rep… | exploit |
| https://www.tenda.com.cn/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11557",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T19:52:15.831128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T19:52:29.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:tenda:f451_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"Web Management Interface"
],
"product": "F451",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "1.0.0.7"
},
{
"status": "affected",
"version": "1.0.0.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "hacker128 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:15:10.637Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369167 | Tenda F451 Web Management Natlimit fromNatlimit stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369167"
},
{
"name": "VDB-369167 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369167/cti"
},
{
"name": "CVE-2026-11557 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11557"
},
{
"name": "Submit #836477 | Tenda Tenda F451 Wireless Router V1.0.0.7, V1.0.0.9 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/836477"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Robots10/IoT_vlu/blob/main/reports/Tenda/fromNatlimit/fromNatlimit.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-08T08:00:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda F451 Web Management Natlimit fromNatlimit stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11557",
"datePublished": "2026-06-08T18:15:10.637Z",
"dateReserved": "2026-06-08T05:55:39.465Z",
"dateUpdated": "2026-06-08T19:52:29.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11793 (GCVE-0-2026-11793)
Vulnerability from cvelistv5 – Published: 2026-06-09 13:11 – Updated: 2026-06-30 10:32
VLAI
Title
389-ds-base: 389-ds-base: stack buffer overflow in checkprefix() algorithm id parsing
Summary
A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-11793 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2484914 | issue-trackingx_refsource_REDHAT |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Directory Server 11 |
cpe:/a:redhat:directory_server:11 |
|
| Red Hat | Red Hat Directory Server 12 |
cpe:/a:redhat:directory_server:12 |
|
| Red Hat | Red Hat Directory Server 13 |
cpe:/a:redhat:directory_server:13 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
Date Public
2026-04-16 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:29:17.306116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:29:33.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:11"
],
"defaultStatus": "unknown",
"packageName": "redhat-ds:11/389-ds-base",
"product": "Red Hat Directory Server 11",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:12"
],
"defaultStatus": "unknown",
"packageName": "redhat-ds:12/389-ds-base",
"product": "Red Hat Directory Server 12",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:13"
],
"defaultStatus": "unknown",
"packageName": "389-ds-base",
"product": "Red Hat Directory Server 13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unknown",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unknown",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unknown",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Ian Murphy (Red Hat)."
}
],
"datePublic": "2026-04-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T10:32:56.925Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-11793"
},
{
"name": "RHBZ#2484914",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484914"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-16T00:00:00.000Z",
"value": "Made public."
}
],
"title": "389-ds-base: 389-ds-base: stack buffer overflow in checkprefix() algorithm id parsing",
"workarounds": [
{
"lang": "en",
"value": "Restrict Directory Manager access. Monitor cn=config attributes (nsDS5ReplicaCredentials, nsDS5ReplicaBootstrapCredentials) for abnormally long values. Restrict LDAP administrative access to management networks or localhost (LDAPI)."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-121: Stack-based Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-11793",
"datePublished": "2026-06-09T13:11:40.477Z",
"dateReserved": "2026-06-09T13:04:58.380Z",
"dateUpdated": "2026-06-30T10:32:56.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11979 (GCVE-0-2026-11979)
Vulnerability from cvelistv5 – Published: 2026-06-29 13:21 – Updated: 2026-06-29 13:59 X_Open Source Disputed
VLAI
Title
Stack-Based Buffer Overflow in libxml2
Summary
libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.
By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.
Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.
This issue has been fixed in the commit c2e233fc.
NOTE:
The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/06/CVE-2026-11979 | third-party-advisory |
| https://gitlab.gnome.org/GNOME/libxml2/-/commit/c… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:59:12.311421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:59:18.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"xmlcatalog"
],
"product": "libxml2",
"repo": "https://gitlab.gnome.org/GNOME/libxml2/",
"vendor": "xmlsoft",
"versions": [
{
"lessThanOrEqual": "2.15.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz (AFINE Team)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcin Wyczechowski (AFINE Team)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.\u003cbr\u003eBy supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.\u003cbr\u003eSuccessful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.\u003cbr\u003e\u003cbr\u003eThis issue has been fixed in the commit c2e233fc.\u003cbr\u003e\u003cbr\u003eNOTE:\u003cbr\u003eThe maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.\u003cbr\u003e"
}
],
"value": "libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.\nBy supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.\nSuccessful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.\n\nThis issue has been fixed in the commit c2e233fc.\n\nNOTE:\nThe maintainers of this project did not agree that this issue is a vulnerability and considered it a bug."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:21:42.697Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/06/CVE-2026-11979"
},
{
"tags": [
"patch"
],
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source",
"disputed"
],
"title": "Stack-Based Buffer Overflow in libxml2",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-11979",
"datePublished": "2026-06-29T13:21:42.697Z",
"dateReserved": "2026-06-11T13:20:24.839Z",
"dateUpdated": "2026-06-29T13:59:18.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12200 (GCVE-0-2026-12200)
Vulnerability from cvelistv5 – Published: 2026-06-15 00:15 – Updated: 2026-06-15 21:50
VLAI
Title
Ritlabs TinyWeb Server Header libeay32.dll.html stack-based overflow
Summary
A security vulnerability has been detected in Ritlabs TinyWeb Server up to 1.94 on Win32. This impacts an unknown function in the library libeay32.dll.html of the component Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370842 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370842/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12200 | third-party-advisory |
| https://vuldb.com/submit/829894 | third-party-advisory |
| https://nathan2.com/posts/tinyweb/ | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ritlabs | TinyWeb Server |
Affected:
1.0
Affected: 1.1 Affected: 1.2 Affected: 1.3 Affected: 1.4 Affected: 1.5 Affected: 1.6 Affected: 1.7 Affected: 1.8 Affected: 1.9 Affected: 1.10 Affected: 1.11 Affected: 1.12 Affected: 1.13 Affected: 1.14 Affected: 1.15 Affected: 1.16 Affected: 1.17 Affected: 1.18 Affected: 1.19 Affected: 1.20 Affected: 1.21 Affected: 1.22 Affected: 1.23 Affected: 1.24 Affected: 1.25 Affected: 1.26 Affected: 1.27 Affected: 1.28 Affected: 1.29 Affected: 1.30 Affected: 1.31 Affected: 1.32 Affected: 1.33 Affected: 1.34 Affected: 1.35 Affected: 1.36 Affected: 1.37 Affected: 1.38 Affected: 1.39 Affected: 1.40 Affected: 1.41 Affected: 1.42 Affected: 1.43 Affected: 1.44 Affected: 1.45 Affected: 1.46 Affected: 1.47 Affected: 1.48 Affected: 1.49 Affected: 1.50 Affected: 1.51 Affected: 1.52 Affected: 1.53 Affected: 1.54 Affected: 1.55 Affected: 1.56 Affected: 1.57 Affected: 1.58 Affected: 1.59 Affected: 1.60 Affected: 1.61 Affected: 1.62 Affected: 1.63 Affected: 1.64 Affected: 1.65 Affected: 1.66 Affected: 1.67 Affected: 1.68 Affected: 1.69 Affected: 1.70 Affected: 1.71 Affected: 1.72 Affected: 1.73 Affected: 1.74 Affected: 1.75 Affected: 1.76 Affected: 1.77 Affected: 1.78 Affected: 1.79 Affected: 1.80 Affected: 1.81 Affected: 1.82 Affected: 1.83 Affected: 1.84 Affected: 1.85 Affected: 1.86 Affected: 1.87 Affected: 1.88 Affected: 1.89 Affected: 1.90 Affected: 1.91 Affected: 1.92 Affected: 1.93 Affected: 1.94 cpe:2.3:a:ritlabs:tinyweb_server:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T21:49:59.205529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T21:50:10.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ritlabs:tinyweb_server:*:*:*:*:*:*:*:*"
],
"modules": [
"Header Handler"
],
"product": "TinyWeb Server",
"vendor": "Ritlabs",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.1"
},
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.5"
},
{
"status": "affected",
"version": "1.6"
},
{
"status": "affected",
"version": "1.7"
},
{
"status": "affected",
"version": "1.8"
},
{
"status": "affected",
"version": "1.9"
},
{
"status": "affected",
"version": "1.10"
},
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.12"
},
{
"status": "affected",
"version": "1.13"
},
{
"status": "affected",
"version": "1.14"
},
{
"status": "affected",
"version": "1.15"
},
{
"status": "affected",
"version": "1.16"
},
{
"status": "affected",
"version": "1.17"
},
{
"status": "affected",
"version": "1.18"
},
{
"status": "affected",
"version": "1.19"
},
{
"status": "affected",
"version": "1.20"
},
{
"status": "affected",
"version": "1.21"
},
{
"status": "affected",
"version": "1.22"
},
{
"status": "affected",
"version": "1.23"
},
{
"status": "affected",
"version": "1.24"
},
{
"status": "affected",
"version": "1.25"
},
{
"status": "affected",
"version": "1.26"
},
{
"status": "affected",
"version": "1.27"
},
{
"status": "affected",
"version": "1.28"
},
{
"status": "affected",
"version": "1.29"
},
{
"status": "affected",
"version": "1.30"
},
{
"status": "affected",
"version": "1.31"
},
{
"status": "affected",
"version": "1.32"
},
{
"status": "affected",
"version": "1.33"
},
{
"status": "affected",
"version": "1.34"
},
{
"status": "affected",
"version": "1.35"
},
{
"status": "affected",
"version": "1.36"
},
{
"status": "affected",
"version": "1.37"
},
{
"status": "affected",
"version": "1.38"
},
{
"status": "affected",
"version": "1.39"
},
{
"status": "affected",
"version": "1.40"
},
{
"status": "affected",
"version": "1.41"
},
{
"status": "affected",
"version": "1.42"
},
{
"status": "affected",
"version": "1.43"
},
{
"status": "affected",
"version": "1.44"
},
{
"status": "affected",
"version": "1.45"
},
{
"status": "affected",
"version": "1.46"
},
{
"status": "affected",
"version": "1.47"
},
{
"status": "affected",
"version": "1.48"
},
{
"status": "affected",
"version": "1.49"
},
{
"status": "affected",
"version": "1.50"
},
{
"status": "affected",
"version": "1.51"
},
{
"status": "affected",
"version": "1.52"
},
{
"status": "affected",
"version": "1.53"
},
{
"status": "affected",
"version": "1.54"
},
{
"status": "affected",
"version": "1.55"
},
{
"status": "affected",
"version": "1.56"
},
{
"status": "affected",
"version": "1.57"
},
{
"status": "affected",
"version": "1.58"
},
{
"status": "affected",
"version": "1.59"
},
{
"status": "affected",
"version": "1.60"
},
{
"status": "affected",
"version": "1.61"
},
{
"status": "affected",
"version": "1.62"
},
{
"status": "affected",
"version": "1.63"
},
{
"status": "affected",
"version": "1.64"
},
{
"status": "affected",
"version": "1.65"
},
{
"status": "affected",
"version": "1.66"
},
{
"status": "affected",
"version": "1.67"
},
{
"status": "affected",
"version": "1.68"
},
{
"status": "affected",
"version": "1.69"
},
{
"status": "affected",
"version": "1.70"
},
{
"status": "affected",
"version": "1.71"
},
{
"status": "affected",
"version": "1.72"
},
{
"status": "affected",
"version": "1.73"
},
{
"status": "affected",
"version": "1.74"
},
{
"status": "affected",
"version": "1.75"
},
{
"status": "affected",
"version": "1.76"
},
{
"status": "affected",
"version": "1.77"
},
{
"status": "affected",
"version": "1.78"
},
{
"status": "affected",
"version": "1.79"
},
{
"status": "affected",
"version": "1.80"
},
{
"status": "affected",
"version": "1.81"
},
{
"status": "affected",
"version": "1.82"
},
{
"status": "affected",
"version": "1.83"
},
{
"status": "affected",
"version": "1.84"
},
{
"status": "affected",
"version": "1.85"
},
{
"status": "affected",
"version": "1.86"
},
{
"status": "affected",
"version": "1.87"
},
{
"status": "affected",
"version": "1.88"
},
{
"status": "affected",
"version": "1.89"
},
{
"status": "affected",
"version": "1.90"
},
{
"status": "affected",
"version": "1.91"
},
{
"status": "affected",
"version": "1.92"
},
{
"status": "affected",
"version": "1.93"
},
{
"status": "affected",
"version": "1.94"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nathan2 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Ritlabs TinyWeb Server up to 1.94 on Win32. This impacts an unknown function in the library libeay32.dll.html of the component Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T00:15:08.714Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370842 | Ritlabs TinyWeb Server Header libeay32.dll.html stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370842"
},
{
"name": "VDB-370842 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370842/cti"
},
{
"name": "CVE-2026-12200 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12200"
},
{
"name": "Submit #829894 | RITLabs TinyWeb 1.94 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/829894"
},
{
"tags": [
"exploit"
],
"url": "https://nathan2.com/posts/tinyweb/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-14T13:44:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "Ritlabs TinyWeb Server Header libeay32.dll.html stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12200",
"datePublished": "2026-06-15T00:15:08.714Z",
"dateReserved": "2026-06-14T11:39:38.478Z",
"dateUpdated": "2026-06-15T21:50:10.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12218 (GCVE-0-2026-12218)
Vulnerability from cvelistv5 – Published: 2026-06-15 04:15 – Updated: 2026-06-27 05:44
VLAI
Title
Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow
Summary
A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370861 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370861/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12218 | third-party-advisory |
| https://vuldb.com/submit/834193 | third-party-advisory |
| http://cdn2.v50to.cc/T46U/T46U_beforewifitest_sta… | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12218",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T10:32:54.702711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:33:14.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
],
"modules": [
"Web FastCGI Service"
],
"product": "SIP-T46U",
"vendor": "Yealink",
"versions": [
{
"status": "affected",
"version": "108.87.50.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CookedMelon (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.7,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T05:44:47.996Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370861 | Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370861"
},
{
"name": "VDB-370861 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370861/cti"
},
{
"name": "CVE-2026-12218 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12218"
},
{
"name": "Submit #834193 | yealink T46U 108.87.50.1 stack",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834193"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "http://cdn2.v50to.cc/T46U/T46U_beforewifitest_stack_overflow.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-27T07:45:46.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12218",
"datePublished": "2026-06-15T04:15:10.808Z",
"dateReserved": "2026-06-14T13:54:11.247Z",
"dateUpdated": "2026-06-27T05:44:47.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12220 (GCVE-0-2026-12220)
Vulnerability from cvelistv5 – Published: 2026-06-15 04:45 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow
Summary
A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370863 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370863/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12220 | third-party-advisory |
| https://vuldb.com/submit/834205 | third-party-advisory |
| http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SpareP… | broken-linkexploitpatch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12220",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T15:52:49.971836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:24:51.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
],
"modules": [
"Firmware Chunk Upload handler"
],
"product": "SIP-T46U",
"vendor": "Yealink",
"versions": [
{
"status": "affected",
"version": "108.86.0.118"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CookedMelon (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.7,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T05:45:11.834Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370863 | Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370863"
},
{
"name": "VDB-370863 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370863/cti"
},
{
"name": "CVE-2026-12220 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12220"
},
{
"name": "Submit #834205 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834205"
},
{
"tags": [
"broken-link",
"exploit",
"patch"
],
"url": "http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-27T07:46:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12220",
"datePublished": "2026-06-15T04:45:10.866Z",
"dateReserved": "2026-06-14T13:54:16.276Z",
"dateUpdated": "2026-06-27T05:45:11.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12221 (GCVE-0-2026-12221)
Vulnerability from cvelistv5 – Published: 2026-06-15 05:00 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow
Summary
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370864 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370864/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12221 | third-party-advisory |
| https://vuldb.com/submit/834207 | third-party-advisory |
| http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrad… | broken-linkexploitpatch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:50:29.215688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:50:45.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
],
"modules": [
"Firmware Chunk Upload Handler"
],
"product": "SIP-T46U",
"vendor": "Yealink",
"versions": [
{
"status": "affected",
"version": "108.86.0.118"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CookedMelon (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.7,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T05:45:23.320Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370864 | Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370864"
},
{
"name": "VDB-370864 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370864/cti"
},
{
"name": "CVE-2026-12221 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12221"
},
{
"name": "Submit #834207 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834207"
},
{
"tags": [
"broken-link",
"exploit",
"patch"
],
"url": "http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrade_chunk_stack_overflow.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-27T07:47:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12221",
"datePublished": "2026-06-15T05:00:10.661Z",
"dateReserved": "2026-06-14T13:54:18.805Z",
"dateUpdated": "2026-06-27T05:45:23.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12222 (GCVE-0-2026-12222)
Vulnerability from cvelistv5 – Published: 2026-06-15 05:15 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow
Summary
A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and is working on a patch to fix it.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370865 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370865/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12222 | third-party-advisory |
| https://vuldb.com/submit/834602 | third-party-advisory |
| http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueTooth… | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:11:11.186975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:11:18.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
],
"modules": [
"Web FastCGI Service"
],
"product": "SIP-T46U",
"vendor": "Yealink",
"versions": [
{
"status": "affected",
"version": "108.86.0.118"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ChiChen241 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and is working on a patch to fix it."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.7,
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T05:45:32.646Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370865 | Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370865"
},
{
"name": "VDB-370865 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370865/cti"
},
{
"name": "CVE-2026-12222 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12222"
},
{
"name": "Submit #834602 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834602"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueToothTest_off_by_one.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-27T07:48:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12222",
"datePublished": "2026-06-15T05:15:09.045Z",
"dateReserved": "2026-06-14T13:54:21.407Z",
"dateUpdated": "2026-06-27T05:45:32.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12485 (GCVE-0-2026-12485)
Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:56
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.geovision.com.tw/cyber_security.php | vendor-advisory |
| https://talosintelligence.com/vulnerability_repor… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GeoVision Inc. | GV-I/O Box 4E |
Affected:
V2.09
Unaffected: v2.12 |
Date Public
2026-06-17 03:10
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:55:48.854235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:56:06.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "GV-I/O Box 4E",
"vendor": "GeoVision Inc.",
"versions": [
{
"status": "affected",
"version": "V2.09"
},
{
"status": "unaffected",
"version": "v2.12"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Philippe Laulheret of Cisco Talos"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Kelly Patterson of Cisco Talos"
},
{
"lang": "en",
"type": "coordinator",
"value": "Robert Sherwin of Cisco Talos"
}
],
"datePublic": "2026-06-17T03:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e v3 = strlen(g_network_config-\u0026gt;ip_addr);\n\u003cbr\u003e memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### IP field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n v3 = strlen(g_network_config-\u003eip_addr);\n\n memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);"
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T03:34:22.794Z",
"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"shortName": "GV"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.geovision.com.tw/cyber_security.php"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-21T07:34:00.000Z",
"value": "Finder Reports Vulnerabilties to Vendor"
}
],
"title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"assignerShortName": "GV",
"cveId": "CVE-2026-12485",
"datePublished": "2026-06-24T03:34:22.794Z",
"dateReserved": "2026-06-17T03:09:05.554Z",
"dateUpdated": "2026-06-24T12:56:06.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12488 (GCVE-0-2026-12488)
Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:55
VLAI
Title
GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability
Summary
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.
A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.geovision.com.tw/cyber_security.php | vendor-advisory |
| https://talosintelligence.com/vulnerability_repor… | third-party-advisory |
| https://www.talosintelligence.com/vulnerability_r… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GeoVision Inc. | GeoVision |
Affected:
V20.0.2
Unaffected: V20.1.0.0 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-24T05:23:56.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2411"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:55:06.184694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:55:14.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "GeoVision",
"vendor": "GeoVision Inc.",
"versions": [
{
"status": "affected",
"version": "V20.0.2"
},
{
"status": "unaffected",
"version": "V20.1.0.0"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geovision_inc.:geovision:v20.0.2:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geovision_inc.:geovision:v20.1.0.0:*:windows:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Philippe Laulheret of Cisco Talos."
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Kelly Patterson of Cisco Talos."
},
{
"lang": "en",
"type": "coordinator",
"value": "Robert Sherwin of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eA specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.\u003c/div\u003e"
}
],
"value": "A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.\u00a0\n\n\nA specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T03:34:20.794Z",
"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"shortName": "GV"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.geovision.com.tw/cyber_security.php"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2411"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "GeoVision GV-VMS version V20.1.0 has patched the reported vulnerability.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUser is recommended to download the update from GeoVision\u0027s offical website\u0026nbsp;(https://www.geovision.com.tw/download/product/GV-VMS%20V20)\u003c/div\u003e\u003cdiv\u003eor contact GeoVision Support team at support@geovision.com.tw\u0026nbsp;\u003c/div\u003e"
}
],
"value": "GeoVision GV-VMS version V20.1.0 has patched the reported vulnerability.\u00a0\n\n\nUser is recommended to download the update from GeoVision\u0027s offical website\u00a0(https://www.geovision.com.tw/download/product/GV-VMS%20V20)\n\nor contact GeoVision Support team at support@geovision.com.tw"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-21T03:49:00.000Z",
"value": "Initial Vendor Contact"
}
],
"title": "GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"assignerShortName": "GV",
"cveId": "CVE-2026-12488",
"datePublished": "2026-06-24T03:34:20.794Z",
"dateReserved": "2026-06-17T03:39:27.939Z",
"dateUpdated": "2026-06-24T12:55:14.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-10
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Phase: Architecture and Design
Description:
- Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Phase: Implementation
Description:
- Implement and perform bounds checking on input.
Mitigation
Phase: Implementation
Description:
- Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation ID: MIT-11
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.