By vendor

Vivotek vulnerabilities

Known CVEs affecting Vivotek products, prioritized by severity, with SEC.co remediation and detection guidance.

6 published vulnerabilities

  • CVE-2026-30650HIGH 8.8

    A remote code execution flaw exists in Vivotek FD8136 network cameras that allows an authenticated attacker to take complete control of the device. The vulnerability resides in the admin interface's event task handler and can be exploited over the network without user interaction, enabling an attacker with valid credentials to execute arbitrary commands with root-level privileges.

  • CVE-2026-30652HIGH 8.8

    A buffer overflow flaw in Vivotek FD8136 network cameras allows authenticated users with admin access to run malicious code with root-level privileges on the device. The vulnerability exists in a specific administrative interface endpoint and affects cameras running firmware version FD8136-VVTK-0300a. An attacker would need valid credentials to exploit it, but once inside the admin panel, they could completely compromise the camera and potentially use it as a foothold into your network.

  • CVE-2026-30649HIGH 7.3

    A buffer overflow vulnerability exists in VIVOTEK's FD8136 network camera that allows an unauthenticated remote attacker to execute arbitrary code. The flaw is located in the set_getparam.cgi component, which handles parameter processing without proper boundary checks. An attacker on the network can send a specially crafted request to trigger the overflow and gain complete control of the device.

  • CVE-2026-35718MEDIUM 6.5

    VIVOTEK FD8136 network cameras running firmware version 0300a contain a path traversal vulnerability in their administrative media download function. An authenticated attacker can craft requests to the vulnerable endpoint to read files anywhere on the device, potentially exposing sensitive configuration data, credentials, or system files. This requires valid login credentials but does not require user interaction to exploit.

  • CVE-2026-35716MEDIUM 6.3

    A stack-based buffer overflow vulnerability exists in VIVOTEK FD8136 IP cameras that allows an authenticated attacker to run arbitrary code with root privileges. The flaw is in the motion privacy configuration endpoint, which fails to validate the size of user input before copying it into a fixed-size buffer on the stack. Because the camera firmware lacks stack protection mechanisms, an attacker can overwrite return addresses and hijack program execution. An authenticated attacker on the network can exploit this remotely by sending a specially crafted POST request.

  • CVE-2026-35717MEDIUM 6.3

    A stack-based buffer overflow exists in the export_language.cgi binary on VIVOTEK FD8136 IP cameras running firmware FD8136-VVTK-0300a. An authenticated attacker can send a specially crafted POST request to the language export endpoint with a malicious Content-Length value that causes the application to read more data than a 60-byte stack buffer can hold, overwriting critical return address information. This allows the attacker to execute arbitrary code with root privileges on the affected device. The vulnerability requires valid credentials to exploit but succeeds because the binary lacks stack protection mechanisms.