{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4860", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-25T16:28:39.937Z", "datePublished": "2026-03-26T08:18:03.574Z", "dateUpdated": "2026-03-26T08:18:03.574Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T08:18:03.574Z"}, "title": "648540858 wvp-GB28181-pro API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer deserialization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "Deserialization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "Improper Input Validation"}]}], "affected": [{"vendor": "648540858", "product": "wvp-GB28181-pro", "versions": [{"version": "2.7.0", "status": "affected"}, {"version": "2.7.1", "status": "affected"}, {"version": "2.7.2", "status": "affected"}, {"version": "2.7.3", "status": "affected"}, {"version": "2.7.4", "status": "affected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-25T17:33:45.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Winegee (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.353191", "name": "VDB-353191 | 648540858 wvp-GB28181-pro API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer deserialization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353191", "name": "VDB-353191 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776213", "name": "Submit #776213 | WVP PRO wvp-GB28181-pro 2.7.4 Deserialization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/1", "tags": ["exploit", "issue-tracking"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-4860", "lastModified": "2026-03-26T09:16:06.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T09:16:06.497", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/wing3e/public_exp/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353191"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353191"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776213"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.7.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.7.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.7.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wvp-GB28181-pro", "source": "cna", "vendor": "648540858"}, "product": "wvp-gb28181-pro", "vendor": "648540858"}], "analysis": {"en": {"generated_at": "2026-03-26T09:50:16.794331+00:00", "value": {"mitigation_remediation": ["Apply an official patch or upgrade to a version newer than 2.7.4 once the vendor releases it.", "If a patch is not available, replace GenericFastJsonRedisSerializer with a more secure serialization method or disable Redis deserialization entirely.", "Restrict network exposure of the API Endpoint using firewall rules or network segmentation to limit external access.", "Monitor logs for anomalous deserialization activity or unexpected process creation to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Possible Remote Code Execution due to deserialization"}, "threat_synthesis": {"affected_systems": "The affected product is 648540858 wvp-GB28181-pro, versions up to and including 2.7.4. The specific component impacted is the RedisTemplateConfig.java file in the API Endpoint module. No other vendors, products, or versions are listed as impacted.", "description_and_impact": "The vulnerability lies in the GenericFastJsonRedisSerializer used by the API Endpoint of wvp-GB28181-pro. It deserializes JSON data without proper validation, which can allow an attacker to supply malicious objects. Based on the description that the flaw can be exploited remotely and that an exploit has been released, this flaw is likely capable of enabling arbitrary code execution on the host system.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity issue. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as the flaw can be triggered by sending crafted data to the API Endpoint over the network. Publicly available exploit code suggests that attackers can leverage the flaw without user interaction."}}}}, "created": "2026-03-26T11:30:08.279389+00:00", "updated": "2026-03-26T12:08:13.733873+00:00", "vendors": ["648540858", "648540858$PRODUCT$wvp-gb28181-pro"]}