Platform
java
Component
public_exp
Fixed in
2.7.5
CVE-2026-3966 describes a server-side request forgery (SSRF) vulnerability discovered in wvp-GB28181-pro, a Java-based component. This flaw allows attackers to manipulate internal requests, potentially exposing sensitive data or internal services. The vulnerability impacts versions up to 2.7.4-20260107, and a fix is expected from the vendor, though they have not yet responded to early disclosure attempts.
The SSRF vulnerability in wvp-GB28181-pro allows an attacker to craft malicious requests that originate from the server itself. This can be exploited to access internal resources that are not directly accessible from the outside world. For example, an attacker could potentially scan the internal network for open ports, access internal APIs, or even read sensitive configuration files. The ability to manipulate the streamIp argument directly contributes to the ease of exploitation. Given the public availability of an exploit, the risk of immediate exploitation is high.
This vulnerability is publicly disclosed and an exploit is available, indicating a high probability of exploitation. It has been added to the CISA KEV catalog, further highlighting its significance. The lack of vendor response raises concerns about the timeliness of a patch and the potential for continued exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
Due to the vendor's lack of response, immediate mitigation options are limited. As a temporary workaround, implement strict input validation on the streamIp parameter, restricting allowed values to a whitelist of trusted IP addresses or domains. Consider deploying a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Monitor network traffic for unusual outbound connections originating from the wvp-GB28181-pro server. After upgrading to a patched version (when available), confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious payload; it should be blocked.
Update to a patched version or implement security measures to validate and sanitize the MediaServer.streamIp input to prevent Server-Side Request Forgery (SSRF) attacks. Due to the vendor's lack of response, it is recommended to implement these security measures immediately.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3966 is a server-side request forgery vulnerability affecting wvp-GB28181-pro versions up to 2.7.4-20260107. It allows attackers to manipulate internal requests, potentially exposing sensitive data.
You are affected if you are using wvp-GB28181-pro version 2.7.4-20260107 or earlier. Assess your deployments immediately.
Upgrade to a patched version of wvp-GB28181-pro when available. Until then, implement input validation and WAF rules as temporary mitigations.
Yes, a public exploit is available, and the vulnerability has been added to the CISA KEV catalog, indicating active exploitation is likely.
As of the disclosure date, the vendor has not released an official advisory. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.