The vulnerability CVE-2026-42366 involves multiple reflected cross-site scripting (CWE-79) flaws in the ssi.cgi component of GeoVision's GV-LPC2011/LPC2211 firmware version 1.10. An attacker can supply a specially crafted URL that, when accessed by a user, causes arbitrary JavaScript code to execute in the context of the victim's browser. This occurs due to improper input neutralization during web page generation. The CVSS 3.1 base score is 7.4, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and high confidentiality impact without integrity or availability impact. The vendor has not published a patch or official remediation, and the product is not a cloud service, so remediation is the responsibility of the end user or administrator.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to theft of sensitive information accessible via the browser session. The vulnerability impacts confidentiality but does not affect system integrity or availability. The attack requires the victim to interact with a malicious URL. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation has been published, users should exercise caution with URLs targeting the affected device's web interface. Network-level protections such as web application firewalls might help mitigate exploitation attempts. Monitor vendor communications for updates on patches or official mitigations.