CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57274
High

The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains a buffer overflow vulnerability in the handle_connection_info function. An attacker from localhost can send a crafted JSON request with a password field that is copied into a fixed-size buffer without length checking, causing overflow.

CVE-2026-57273
High

The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software contains a buffer overflow vulnerability in the handle_connection_info function. An attacker from localhost can send a crafted JSON request that overflows a buffer in the username field due to manual byte-by-byte copying without length checks.

CVE-2026-57272
High

A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access due to improper index validation in WebSocket commands. An attacker from localhost can exploit this to perform unauthorized operations.

CVE-2026-57271
High

The GeoWebPlayer addon (also known as Web Plugin or WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds read vulnerability in the handling of the 'pause' command. This could lead to unexpected behavior or potential security compromise.

CVE-2026-57270
High

A vulnerability in GeoWebPlayer (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) stems from missing validation of the `index` value in commands received from localhost. This allows out-of-bounds array access, potentially leading to uncontrolled behavior.

CVE-2026-57269
High

A vulnerability in GeoWebPlayer (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) stems from missing validation of the 'index' value in the 'disconnect' command of the WebSocket server. This allows out-of-bounds array access, potentially leading to unexpected behavior or control flow hijacking.

CVE-2026-57268
High

The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds read vulnerability in the `saveVideo` command. The index from the WebSocket message is not validated, allowing access to critical sections and function pointers beyond array bounds, potentially leading to arbitrary code execution.

CVE-2026-57267
High

A vulnerability in GeoWebPlayer (Web Plugin/WS Player) allows out-of-bounds array access via improper validation of the 'index' value in the 'snapshot' command. An attacker from localhost can exploit this to perform unauthorized operations.

CVE-2026-57266
High

The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds array access vulnerability in the 2wayAudio command. The WebSocket server accepts commands from localhost, and the 'index' value is not validated, allowing access to memory beyond the intended range.

CVE-2026-57265
High

GeoWebPlayer (also known as Web Plugin or WS Player) is an addon for GeoVision software (GV-VMS, GV-Cloud) that creates a WebSocket server. Many commands accept an `index` parameter that is not validated for range, allowing out-of-bounds array access.

CVE-2026-57264
High

A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via the setPIP command, where the 'index' value is not validated for proper range. This can lead to uncontrolled memory read or write.

CVE-2026-13132
High

A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via the setStream command. Missing index validation lets an attacker from localhost perform operations on unintended memory areas.

CVE-2026-13131
High

A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via an uncontrolled 'index' parameter in the connectInfo command. Lack of index range validation enables an attacker from localhost to trigger unintended actions.

CVE-2026-13125
High

GeoWebPlayer (also called Web Plugin or WS Player) is an addon for GeoVision software (GV-VMS, GV-Cloud) that runs a WebSocket server without requiring authentication. A malicious website can connect to this server and invoke the `create` and `getScreenCapture` methods to capture the user's screen content.

CVE-2026-55794
High

Craft CMS versions 5.9.0 through 5.10.0 contain a vulnerability where control panel users with entry editing permissions can execute unsandboxed Twig code via the HTTP Referrer header, leading to authenticated remote code execution (RCE). The issue occurs when saving entries, as the signed redirect URL string is compiled as a Twig template without sandboxing.

CVE-2026-50279
High

In Craft CMS versions 5.0.0-RC1 through 5.9.20, a vulnerability allows bypassing permission checks when saving entries. A low-privileged user can change the author of an entry to another user without the required permissions, leading to authorship spoofing.

CVE-2026-55790
High

In Craft CMS versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can inject a JavaScript payload into a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches for a term that returns the poisoned issue, the payload executes in the admin's control panel session.

CVE-2026-50284
High

In Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, the folder deletion function does not enforce peer asset deletion permissions. A low-privilege user can delete folders and all contained assets, including those uploaded by other users.

CVE-2026-14432
High

A use-after-free vulnerability was found in the V8 engine of Google Chrome prior to version 150.0.7871.46. A remote attacker can exploit a crafted HTML page to execute arbitrary code within the sandbox environment.

CVE-2026-14431
High

A type confusion vulnerability in the V8 engine of Google Chrome prior to version 150.0.7871.46 allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The issue is rated as high severity.

PreviousPage 14 of 3333Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS