CVE-2026-4597 identifies a SQL injection vulnerability in the wvp-GB28181-pro software, versions 2.7.0 to 2.7.4, specifically in the selectAll function of the Stream Proxy Query Handler component (src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyProvider.java). The vulnerability allows an attacker to remotely inject malicious SQL code by manipulating input parameters processed by this function, which does not properly sanitize or validate user-supplied data before incorporating it into SQL queries. The attack vector requires no authentication or user interaction, making it easier to exploit. The vulnerability impacts the confidentiality, integrity, and availability of the underlying database and potentially the entire system relying on this component. The vendor was notified early but has not issued any patches or advisories, and public exploit code has been released, increasing the risk of exploitation. The CVSS v4.0 score of 5.3 reflects a medium severity, considering the ease of remote exploitation but limited scope and privileges required. The affected product is used primarily in video management and streaming proxy contexts, often in surveillance systems compliant with the GB28181 protocol, which is widely adopted in China and other regions for video surveillance integration.

The SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, data modification, or deletion. This compromises the confidentiality and integrity of sensitive information managed by the wvp-GB28181-pro system. Additionally, attackers could disrupt service availability by corrupting or deleting critical data, causing denial of service. Since the vulnerability can be exploited remotely without authentication, attackers can target exposed instances over the internet or internal networks. Organizations relying on this product for video surveillance and streaming may face operational disruptions, data breaches, and compliance violations. The lack of vendor response and patches increases the window of exposure, elevating the risk of widespread exploitation once attackers integrate the public exploit into their toolkits.

Organizations should immediately audit their deployments of wvp-GB28181-pro versions 2.7.0 through 2.7.4 to identify vulnerable instances. Network-level protections such as firewall rules should restrict access to the affected service to trusted internal networks only, minimizing exposure to remote attackers. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the selectAll function. Where possible, implement input validation and sanitization at the application or proxy layer to prevent malicious SQL payloads. Monitor logs for unusual query patterns or errors indicative of injection attempts. Since no official patch is available, consider isolating or disabling the vulnerable component temporarily if feasible. Engage with the vendor for updates or consider migrating to alternative solutions with active security support. Finally, maintain regular backups of critical data to enable recovery in case of compromise.