CVE-2026-7841 - Vulnerability Details - OpenCVE

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Geovision	Gv-asmanager
Geovision Inc.	Asmanager

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://www.spirityenterprise.com/mdr-for-endpoint
https://www.geovision.com.tw/cyber_security.php

History

Wed, 06 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Geovision Geovision gv-asmanager
Vendors & Products		Geovision Geovision gv-asmanager

Wed, 06 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.
Title		GV-ASWeb Remote Code Execution (RCE) vulnerability
First Time appeared		Geovision Inc. Geovision Inc. asmanager
Weaknesses		CWE-94
CPEs		cpe:2.3:a:geovision_inc.:asmanager:v6.2.0::windows::::: cpe:2.3:a:geovision_inc.:asmanager:v6.3.0::windows:::::
Vendors & Products		Geovision Inc. Geovision Inc. asmanager
References		https://www.geovision.com.tw/cyber_security.php
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GV

Published: 2026-05-06T06:47:53.765Z

Updated: 2026-05-06T06:47:53.765Z

Reserved: 2026-05-05T07:36:15.083Z

Link: CVE-2026-7841

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T08:16:04.490

Modified: 2026-05-06T08:16:04.490

Link: CVE-2026-7841

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7841", "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "state": "PUBLISHED", "assignerShortName": "GV", "dateReserved": "2026-05-05T07:36:15.083Z", "datePublished": "2026-05-06T06:47:53.765Z", "dateUpdated": "2026-05-06T06:47:53.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "shortName": "GV", "dateUpdated": "2026-05-06T06:47:53.765Z"}, "title": "GV-ASWeb Remote Code Execution (RCE) vulnerability", "datePublic": "2026-05-05T07:53:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "affected": [{"vendor": "GeoVision Inc.", "product": "ASManager", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "V6.2.0"}, {"status": "unaffected", "version": "V6.3.0"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:geovision_inc.:asmanager:v6.2.0:*:windows:*:*:*:*:*"}, {"vulnerable": false, "criteria": "cpe:2.3:a:geovision_inc.:asmanager:v6.3.0:*:windows:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "A remote code execution vulnerability\nexists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated\nuser with System Setting permissions can execute arbitrary commands on the\nserver by sending a crafted HTTP POST request to the ASWebCommon.srf backend\nendpoint to bypass the frontend restrictions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A remote code execution vulnerability\nexists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated\nuser with System Setting permissions can execute arbitrary commands on the\nserver by sending a crafted HTTP POST request to the ASWebCommon.srf backend\nendpoint to bypass the frontend restrictions.</p>"}]}], "references": [{"url": "https://www.geovision.com.tw/cyber_security.php", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Reported Vulnerability is going to be fixed with the official release of GeoVision's ASMAnager V6.3.0", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Reported Vulnerability is going to be fixed with the official release of GeoVision's ASMAnager V6.3.0"}]}], "timeline": [{"time": "2026-04-28T17:05:00.000Z", "lang": "en", "value": "Initial report to vendor"}], "credits": [{"lang": "en", "value": "Patrick Tung <patricktkc.work@gmail.com>", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}