CVE-2026-13132
Received Received - Intake

Heap-based Buffer Overflow in GeoWebPlayer Websocket Server

Vulnerability report for CVE-2026-13132, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. #### setStream command index-out-of-bound

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
geovision geowebplayer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how CVE-2026-13132 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

The vulnerability involves the GeoWebPlayer websocket server accepting commands from localhost with an index value that is not properly checked for valid range, leading to out-of-bounds array access.

Detection on your network or system would involve monitoring websocket traffic to the GeoWebPlayer service, especially commands sent to the websocket server that include an index parameter.

Since the vulnerable commands are accepted only from localhost, network detection might be limited. You could check for unusual or malformed websocket messages locally targeting the GeoWebPlayer websocket server.

Specific commands to detect exploitation attempts are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided context or resources.

General best practices would include applying any available patches or updates from GeoVision as soon as they are released.

Additionally, restricting access to the GeoWebPlayer websocket server to trusted localhost processes and monitoring for suspicious activity may help reduce risk.

Executive Summary

The vulnerability exists in GeoWebPlayer, an addon for GeoVision software, which creates a websocket server to enhance web-interface capabilities. This server accepts commands from localhost, many of which use an 'index' value to access arrays. However, the 'index' is not properly checked for valid range, allowing out-of-bound access to multiple arrays.

Specifically, the 'setStream' command can use an out-of-bound index, potentially leading to critical sections being accessed improperly or unintended function calls being executed.

Impact Analysis

This vulnerability has a high severity score (CVSS 8.3) and can lead to significant impacts including complete compromise of confidentiality, integrity, and availability of the affected system.

  • An attacker could exploit the out-of-bound array access to execute unintended actions or access sensitive data.
  • It may allow attackers to disrupt system operations or gain unauthorized control over the software.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart