Home

Description

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-06 | Updated 2026-05-07 | Assigner GV




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

V6.2.0
affected

V6.3.0
unaffected

Timeline

2026-04-28:Initial report to vendor

Credits

Patrick Tung finder

References

www.geovision.com.tw/cyber_security.php vendor-advisory

cve.org (CVE-2026-7841)

nvd.nist.gov (CVE-2026-7841)

Download JSON