CVE-2026-7841
Remote Code Execution in GeoVision GV-ASWeb
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geovision | gv-asweb | 6.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the CVE-2026-7841 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a remote code execution issue found in the Notification Settings of GeoVision GV-ASWeb version 6.2.0. It allows an authenticated user who has System Setting permissions to execute arbitrary commands on the server. This is done by sending a specially crafted HTTP POST request to the ASWebCommon.srf backend endpoint, which bypasses the frontend restrictions intended to prevent such actions.
How can this vulnerability impact me? :
The impact of this vulnerability is severe because it enables an authenticated user with certain permissions to execute arbitrary commands on the server remotely. This can lead to full compromise of the affected system, including unauthorized access, data manipulation, service disruption, or further exploitation within the network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is important to apply any available updates or patches provided by GeoVision as soon as possible, especially since this is a critical remote code execution vulnerability.
GeoVision follows a vulnerability management process that includes prompt release of unscheduled updates for critical vulnerabilities, so users should monitor GeoVision's official cybersecurity advisories and update their GV-ASWeb software accordingly.
Additionally, restricting System Setting permissions to trusted users only and monitoring for unusual HTTP POST requests to the ASWebCommon.srf backend endpoint may help reduce risk until patches are applied.