What is CVE-2026-4860?

CVE-2026-4860 is a high severity vulnerability classified under CWE-502 (Unsafe Deserialization). CVE-2026-4860: Unsafe Deserialization in wvp-GB28181-pro

How do I fix CVE-2026-4860?

Apply the vendor patch immediately. Additionally, implement defenses against Unsafe Deserialization by following secure coding practices. Use Precogs AI to scan your codebase for similar vulnerabilities.

CVE-2026-4860

CVE-2026-4860: Unsafe Deserialization in wvp-GB28181-pro

Verified by Precogs Threat Research

Last Updated: Mar 26, 2026

Base Score

HIGH

Executive Summary

CVE-2026-4860 is a high severity vulnerability affecting software systems. It is classified as Unsafe Deserialization. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.

Precogs AI Insight

"Precogs AI detected this vulnerability pattern in Unsafe Deserialization implementations. The pattern deviates from documented secure coding standards, suggesting a high likelihood of exploitation if unpatched."

Exploit Probability

Elevated (52%)

Public POC

Undisclosed

Exploit Probability

Elevated (52%)

Public POC

Available

Affected Assets

CWE-502

Summary

A high-severity unsafe deserialization vulnerability (CVE-2026-4860) has been identified in wvp-GB28181-pro (a video surveillance platform implementing the GB28181 protocol), affecting versions up to 2.7.4. The application deserializes untrusted data without validation (CWE-502).

Technical Details

The issue is classified under CWE-502 (Deserialization of Untrusted Data) with input validation failures (CWE-20). The Java-based application accepts serialized objects from network requests and passes them directly to deserialization routines without type filtering or integrity checks.

Attackers exploit publicly available gadget chains (such as those in Apache Commons Collections, Spring Framework, or Jackson Databind) to construct serialized payloads that trigger arbitrary method invocations during the deserialization process.

Exploitation Context

Vector: Remote / Network-based
Authentication: Not required
Complexity: Low
Impact: High (Confidentiality, Integrity, and Availability)

As a video surveillance platform, wvp-GB28181-pro typically runs with elevated permissions and has network connectivity to physical camera infrastructure, making it a high-value target for lateral movement.

Remediation

Administrators of wvp-GB28181-pro should immediately:

Upgrade to the latest patched version that implements deserialization filters and type whitelisting.
Implement Java deserialization filters using ObjectInputFilter (JEP 290) to restrict which classes can be instantiated during deserialization.
Replace native Java serialization with safer alternatives like JSON (without polymorphic type handling) for inter-service communication.

Precogs AI Integration

The Precogs AI Code Security Platform detects unsafe deserialization by tracing data flow from network input sources to deserialization sinks. Precogs identifies direct use of ObjectInputStream.readObject(), pickle.loads(), and similar patterns, flagging CWE-502 violations and recommending deserialization filters.

Related Vulnerabilitiesvia CWE-502

View all CWE-502 vulnerabilities →

Executive Summary

Precogs AI Insight

Summary

Technical Details

Exploitation Context

Remediation

Precogs AI Integration

Supplemental Intelligence & References

📋 OWASP Top 10

📖 Security Guides

🛡️ Notable Vulnerabilities

🔗 External References

Related Vulnerabilitiesvia CWE-502