CVE-2026-13131
Received Received - Intake

GeoWebPlayer WebSocket Index Out-of-Bounds Access

Vulnerability report for CVE-2026-13131, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. #### connectInfo command index-out-of-bound

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
geovision geowebplayer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in GeoWebPlayer, an addon for GeoVision software, which creates a websocket server to enhance web-interface capabilities. This server accepts commands from localhost that include an 'index' value used to access arrays for critical operations. However, the 'index' is not properly validated for valid range, allowing out-of-bound access to multiple arrays.

Impact Analysis

Because the 'index' value is not checked for valid range, an attacker can exploit this to access arrays out-of-bound, potentially leading to unauthorized access to critical sections, execution of unintended function calls, and other harmful actions. This can result in a high impact on confidentiality, integrity, and availability of the system.

Compliance Impact

The provided information does not explicitly describe how this specific vulnerability (CVE-2026-13131) affects compliance with common standards and regulations such as GDPR or HIPAA.

However, GeoVision maintains a comprehensive cybersecurity policy and adheres to recognized security standards, including achieving Level 2 certification from the Taiwan Association of Information and Communication Standards (TAICS) for video surveillance system security. Their structured vulnerability management process aims to promptly address critical vulnerabilities to protect users, which indirectly supports compliance with security requirements in various regulations.

Detection Guidance

The vulnerability involves the GeoWebPlayer websocket server accepting commands from localhost with an index value that is not properly range-checked, leading to out-of-bounds array access. Detection would involve monitoring websocket traffic on the affected system, especially commands sent to the GeoWebPlayer websocket server that include index parameters.

Since the vulnerable commands are accepted only from localhost, network detection might be limited to local monitoring or host-based detection.

Suggested detection steps include:

  • Monitor websocket server logs or traffic on localhost for suspicious commands containing out-of-range index values.
  • Use system tools to check for unexpected websocket server behavior or crashes related to GeoWebPlayer.
  • No specific commands are provided in the available information to detect this vulnerability directly.
Mitigation Strategies

Immediate mitigation steps should focus on applying available patches or updates from GeoVision, as they maintain a structured vulnerability management process and release unscheduled updates for critical vulnerabilities.

Since the vulnerability involves out-of-bounds access via the GeoWebPlayer websocket server, restricting access to the websocket server to trusted processes or disabling the GeoWebPlayer addon if not required can reduce risk.

GeoVision's cybersecurity policy emphasizes prompt updates and detailed documentation for critical vulnerabilities, so checking their official site for patches or advisories related to this CVE is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart