Platform
java
Component
public_exp
Opgelost in
2.7.5
CVE-2026-3966 describes a server-side request forgery (SSRF) vulnerability discovered in wvp-GB28181-pro, a Java-based component. This flaw allows attackers to manipulate internal requests, potentially exposing sensitive data or internal services. The vulnerability impacts versions up to 2.7.4-20260107, and a fix is expected from the vendor, though they have not yet responded to early disclosure attempts.
The SSRF vulnerability in wvp-GB28181-pro allows an attacker to craft malicious requests that originate from the server itself. This can be exploited to access internal resources that are not directly accessible from the outside world. For example, an attacker could potentially scan the internal network for open ports, access internal APIs, or even read sensitive configuration files. The ability to manipulate the streamIp argument directly contributes to the ease of exploitation. Given the public availability of an exploit, the risk of immediate exploitation is high.
This vulnerability is publicly disclosed and an exploit is available, indicating a high probability of exploitation. It has been added to the CISA KEV catalog, further highlighting its significance. The lack of vendor response raises concerns about the timeliness of a patch and the potential for continued exploitation.
Organizations deploying wvp-GB28181-pro, particularly those with internal services accessible via the component, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially exploit the vulnerability to access resources belonging to other users.
• linux / server:
journalctl -u wvp-GB28181-pro | grep -i "streamIp"• generic web:
curl -I <wvp-GB28181-pro_endpoint> | grep -i "X-Forwarded-For"disclosure
poc
kev
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
Due to the vendor's lack of response, immediate mitigation options are limited. As a temporary workaround, implement strict input validation on the streamIp parameter, restricting allowed values to a whitelist of trusted IP addresses or domains. Consider deploying a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Monitor network traffic for unusual outbound connections originating from the wvp-GB28181-pro server. After upgrading to a patched version (when available), confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious payload; it should be blocked.
Actualizar a una versión parcheada o implementar medidas de seguridad para validar y sanitizar la entrada MediaServer.streamIp para prevenir ataques de Server-Side Request Forgery (SSRF). Debido a la falta de respuesta del proveedor, se recomienda implementar estas medidas de seguridad de forma inmediata.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3966 is a server-side request forgery vulnerability affecting wvp-GB28181-pro versions up to 2.7.4-20260107. It allows attackers to manipulate internal requests, potentially exposing sensitive data.
You are affected if you are using wvp-GB28181-pro version 2.7.4-20260107 or earlier. Assess your deployments immediately.
Upgrade to a patched version of wvp-GB28181-pro when available. Until then, implement input validation and WAF rules as temporary mitigations.
Yes, a public exploit is available, and the vulnerability has been added to the CISA KEV catalog, indicating active exploitation is likely.
As of the disclosure date, the vendor has not released an official advisory. Monitor their website and security mailing lists for updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.