VYPR

Vendor CVEs

Vivotek

All CVEs

42 total · sorted by risk
  • CVE-2017-9828CriJun 23, 2017
    risk 0.70cvss 9.8epss 0.82

    '/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK…

  • CVE-2026-22755CriJan 13, 2026
    risk 0.61cvss epss 0.21

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382,…

  • CVE-2026-30652HigJun 2, 2026
    risk 0.57cvss 8.8epss 0.01

    A remote buffer overflow vulnerability exists in the /cgi-bin/dido/setdo.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device.

  • CVE-2026-30650HigJun 2, 2026
    risk 0.57cvss 8.8epss 0.01

    A post-authentication remote buffer overflow vulnerability exists in the /cgi-bin/admin/eventtask.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as…

  • CVE-2018-14771HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.03

    VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi.

  • CVE-2018-14770HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.03

    VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service).

  • CVE-2018-14769HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.00

    VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.

  • CVE-2018-14768HigAug 29, 2018
    risk 0.57cvss 8.8epss 0.03

    Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, and other devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code.

  • CVE-2017-9829HigJun 23, 2017
    risk 0.54cvss 7.5epss 0.69

    '/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable, which allows remote attackers to read any file on the camera's Linux filesystem via a crafted HTTP request containing ".." sequences. This vulnerability is already…

  • CVE-2026-30649HigJun 2, 2026
    risk 0.47cvss 7.3epss 0.00

    Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows a remote attacker to execute arbitrary code via the set_getparam.cgi component

  • CVE-2026-35718MedJun 2, 2026
    risk 0.42cvss 6.5epss 0.01

    A path traversal vulnerability in the /admin/downloadMedias.cgi endpoint of VIVOTEK INC FD8136-VVTK firmware 0300a allows authenticated attackers to read any file on the device via sending a crafted request.

  • CVE-2026-35716MedJun 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi,…

  • CVE-2026-35717MedJun 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes…

  • CVE-2025-3403LowApr 8, 2025
    risk 0.18cvss 2.7epss 0.00

    A vulnerability was found in Vivotek NVR ND8422P, NVR ND9525P and NVR ND9541P 2.4.0.204/3.3.0.104/4.2.0.101. It has been classified as problematic. Affected is an unknown function of the component HTML Form Handler. The manipulation leads to inclusion of sensitive information in…

  • CVE-2013-1598Jan 24, 2020
    risk 0.05cvss epss 0.20

    A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary code.

  • CVE-2013-1596Jan 24, 2020
    risk 0.05cvss epss 0.10

    An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554.

  • CVE-2013-1594Jan 24, 2020
    risk 0.05cvss epss 0.07

    An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text.

  • CVE-2013-1597Jan 24, 2020
    risk 0.04cvss epss 0.14

    A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials.

  • CVE-2013-1595Jan 24, 2020
    risk 0.04cvss epss 0.42

    A Buffer Overflow vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via a specially crafted packet in the Authorization header field sent to the RTSP service, which could let a remote malicious user execute arbitrary code or cause a Denial of Service.

  • CVE-2008-4771Oct 28, 2008
    risk 0.04cvss epss 0.07

    Stack-based buffer overflow in VATDecoder.VatCtrl.1 ActiveX control in (1) 4xem VatCtrl Class (VATDecoder.dll 1.0.0.27 and 1.0.0.51), (2) D-Link MPEG4 SHM Audio Control (VAPGDecoder.dll 1.7.0.5), (3) Vivotek RTSP MPEG4 SP Control (RtspVapgDecoderNew.dll 2.0.0.39), and possibly…

  • CVE-2007-3167Jun 11, 2007
    risk 0.03cvss epss 0.06

    Stack-based buffer overflow in the Vivotek Motion Jpeg ActiveX control (aka MjpegControl) in MjpegDecoder.dll 2.0.0.13 allows remote attackers to execute arbitrary code via a long PtzUrl property value.

  • CVE-2018-14495Jul 10, 2019
    risk 0.02cvss epss 0.04

    Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. NOTE: The vendor has disputed this as a vulnerability and states that the issue does not cause a web server crash or…

  • CVE-2024-7441Aug 3, 2024
    risk 0.01cvss epss 0.08

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been declared as critical. This vulnerability affects the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow.…

  • CVE-2018-14494Jul 10, 2019
    risk 0.01cvss epss 0.03

    Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July 2019, it is a historical vulnerability that does not apply to any current or…

  • CVE-2025-66052Jan 9, 2026
    risk 0.00cvss epss 0.01

    Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050,…

  • CVE-2025-66051Jan 9, 2026
    risk 0.00cvss epss 0.01

    Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by…

  • CVE-2025-66050Jan 9, 2026
    risk 0.00cvss epss 0.00

    Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all…

  • CVE-2025-66049Jan 9, 2026
    risk 0.00cvss epss 0.00

    Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the…

  • CVE-2024-7443Aug 3, 2024
    risk 0.00cvss epss 0.03

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Vivotek IB8367A VVTK-0100b. Affected is the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to launch…

  • CVE-2024-7442Aug 3, 2024
    risk 0.00cvss epss 0.03

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been rated as critical. This issue affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. The attack may be…

  • CVE-2024-7440Aug 3, 2024
    risk 0.00cvss epss 0.03

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek CC8160 VVTK-0100d. It has been classified as critical. This affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to…

  • CVE-2024-7439Aug 3, 2024
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek CC8160 VVTK-0100d and classified as critical. Affected by this issue is the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow. The attack…

  • CVE-2024-26548Feb 29, 2024
    risk 0.00cvss epss 0.01

    An issue in vivotek Network Camera v.FD8166A-VVTK-0204j allows a remote attacker to execute arbitrary code via a crafted payload to the upload_file.cgi component.

  • CVE-2020-11950May 28, 2020
    risk 0.00cvss epss 0.03

    VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects IT9388-HT devices.

  • CVE-2020-11949May 28, 2020
    risk 0.00cvss epss 0.01

    testserver.cgi of the web service on VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to obtain arbitrary files from a camera's local filesystem. For example, this affects IT9388-HT devices.

  • CVE-2019-14458Sep 18, 2019
    risk 0.00cvss epss 0.02

    VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.

  • CVE-2019-10256Sep 10, 2019
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.

  • CVE-2019-14457Sep 10, 2019
    risk 0.00cvss epss 0.03

    VIVOTEK IP Camera devices with firmware before 0x20x have a stack-based buffer overflow via a crafted HTTP header.

  • CVE-2018-14496Jul 10, 2019
    risk 0.00cvss epss 0.04

    Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi. NOTE: The vendor has disputed this as a vulnerability and states that the issue does not cause a…

  • CVE-2018-18005Jan 3, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter.

  • CVE-2018-18244Jan 3, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting in syslog.html in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript code via an HTTP Referer Header.

  • CVE-2018-18004Jan 3, 2019
    risk 0.00cvss epss 0.01

    Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter.