CVE-2026-12851

Geovision GV-I/O Box 4E (version 2.09) contains multiple OS command injection flaws in libNetSetObj.so, including CVE-2026-12851. The vulnerabilities arise from unsanitized inputs in CNetSetObj::m_F_n_Set_DNS_Addr (and related DNS/IP/Netmask/Gateway/config functions), which build shell commands a...

CVE-2026-12849

Ge’oVision GV-I/O Box 4E (2.09) has OS command injection vulnerabilities in libNetSetObj.so (e.g., CNetSetObj::m_F_n_Set_Net_Mask) that allow a attacker-supplied netmask to invoke /sbin/ifconfig via system(), reachable through DVRSearch and Network.cgi. TALOS and NVD enumerate multiple CVEs (incl...

CVE-2026-12486

GeoVision GV-I/O Box 4E (2.09) is affected by OS command injection in libNetSetObj.so, specifically CNetSetObj::m_F_n_Set_IP_Addr, which builds and executes a shell command via system("/sbin/ifconfig ..."). The flaw is reachable from network-exposed DVRSearch and Network.cgi endpoints, enabling r...

GeoVision GV-I/O Box 4E DVRSearch CMD_IP_SET buffer overflow vulnerabilities

Summary Multiple exploitable buffer overflow vulnerabilities exist in the DVRSearch CMDIPSET functionality of GV-I/O Box 4E versions: 2.09. A specially crafted network request can lead to a arbitrary code execution. An attacker can send a network request to trigger these vulnerabilities. Confirme...