Talos Vulnerability Report

TALOS-2026-2375

GeoVision GeoWebPlayer Websocket Server connectInfo handler stack-based buffer overflow vulnerabilities

July 1, 2026
CVE Number

CVE-2026-57273,CVE-2026-57274,CVE-2026-57275,CVE-2026-57276,CVE-2026-57277,CVE-2026-57278

Summary

Multiple exploitable stack-based buffer overflow vulnerabilities exist in the Websocket Server connectInfo handler functionality of GeoWebPlayer (version(s): 1.1.1.0). A specially crafted websocket message can lead to a arbitrary code execution. An attacker can stage a malicious webpage to trigger these vulnerabilities.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

GeoWebPlayer (version(s): 1.1.1.0)

Product URLs

GeoWebPlayer - http://ovision.com.tw/

CVSSv3 Score

8.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Details

GeoWebPlayer (also called “Web Plugin” in the GV-VMS documentation and “WS Player” for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, …). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.

CVE-2026-57273 - Buffer Overflow in username field (no key present)

In this function, we can see that an overflow of the conn_info.username buffer can occur if the JSON username field exceeds the buffer size (64 bytes). This code path is reached when no key variable is provided:

v16 = get_entry(json_root, "username");
if ( json_is_value_str(v16) )
{
  v17 = get_entry(json_root, "username");
  v56 = (std_string *)json_value_to_string(v17, (int)&username_obj_str);
  v55 = std_string_get_buffer_(v56);
  username = conn_info.username;
  v53 = conn_info.username;
  do
  {
    v52 = *v55;
    *username = v52;
    v55 = ((char *)v55 + 1);
    ++username;
  }
  while ( v52 );
  string_cleanup(&username_obj_str);
}

CVE-2026-57274 - Buffer Overflow in password field (no key present)

In this function, we can see that an overflow of the conn_info.password buffer can occur if the JSON password field exceeds the buffer size (64 bytes). This code path is reached when no key variable is provided:

   v18 = get_entry(json_root, "password");
    if ( json_is_value_str(v18) )
    {
      v19 = get_entry(json_root, "password");
      v51 = (std_string *)json_value_to_string(v19, (int)&password_obj_str);
      v50 = std_string_get_buffer_(v51);
      password = conn_info.password;
      v48 = conn_info.password;
      do
      {
        v47 = *v50;
        *password = v47;
        ++v50;
        ++password;
      }
      while ( v47 );
      string_cleanup(&password_obj_str);
    }

CVE-2026-57275 - Buffer Overflow in username field (key present)

In this function, we can see that an overflow of the username_enc buffer can occur if the JSON username field exceeds the buffer size (128 bytes). This code path is reached when a key variable is provided:

memset(username_enc, 0, sizeof(username_enc));
v12 = get_entry(json_root, "username");
if ( json_is_value_str(v12) )
{
  v13 = get_entry(json_root, "username");
  v66 = (std_string *)json_value_to_string(v13, (int)&v98);
  v65 = std_string_get_buffer_(v66);
  v64 = username_enc;
  v63 = username_enc;
  do
  {
    v62 = *v65;                     
    *v64 = v62;
    ++v65;
    ++v64;
  }
  while ( v62 );
  string_cleanup(&v98);
}

CVE-2026-57276 - Buffer Overflow in password field (key present)

In this function, we can see that an overflow of the password_enc buffer can occur if the JSON pasword field exceeds the buffer size (128 bytes). This code path is reached when a key variable is provided:

memset(password_enc, 0, sizeof(password_enc));
v14 = get_entry(json_root, "password");
if ( json_is_value_str(v14) )
{
  v15 = get_entry(json_root, "password");
  v61 = (std_string *)json_value_to_string(v15, (int)&v97);
  v60 = std_string_get_buffer_(v61);
  v59 = password_enc;
  v58 = password_enc;
  do
  {
    v57 = v60->field_0;
    *v59 = v57;
    v60 = (std_string *)((char *)v60 + 1);
    ++v59;
  }
  while ( v57 );
  string_cleanup(&v97);

CVE-2026-57277 - Buffer Overflow in key field

In this function, we can see that an overflow of the key_blob buffer can occur if the JSON key field exceeds the buffer size (17 bytes):

memset(key_blob, 0, sizeof(key_blob)); //defined as char key_blob[17]
v70 = get_string_buffer(&key_obj_str);
p_key_blob = &key_blob;
v68 = &key_blob;
do
{
  v67 = *v70;
  *p_key_blob = v67;
  ++v70;
  ++p_key_blob;
}
while ( v67 );

CVE-2026-57278 - Buffer Overflow in ip field

In this function, we can see that an overflow of the conn_info.ip_or_host buffer can occur if the JSON ip field exceeds the buffer size (256 bytes):

v4 = get_entry(json_root, "ip");
if ( json_is_value_str(v4) )
{
  v5 = get_entry(json_root, "ip");
  v75 = (std_string *)json_value_to_string(v5, (int)&v99);
  buffer = std_string_get_buffer_(v75);
  p_conn_info = (char *)&conn_info.ip_or_host;
  v72 = &conn_info;
  do
  {
    v71 = *buffer;
    *p_conn_info = v71;
    ++buffer;
    ++p_conn_info;
  }
  while ( v71 );
  string_cleanup(&v99);
}

Timeline

2026-03-25 - Initial Vendor Contact
2026-04-21 - Vendor Disclosure
2026-04-28 - Vendor Patch Release
2026-07-01 - Public Release

Credit

Philippe Laulheret of Cisco Talos