CVE-2026-38740

MEDIUM

Foscam VD1 <V5.3.13_1072 - Info Disclosure

Title source: llm

Description

Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over network interfaces. An attacker with network visibility can intercept these credentials to hijack media streams or authenticate to Foscam's TURN/relay infrastructure to forward arbitrary traffic at the vendor's expense.

References (1)

Core 1

Core References

https://github.com/victorGoeman/Foscam-Security-Research/blob/main/CVE-2026-38740.md

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0013

EPSS Percentile 3.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Published May 14, 2026

Tracked Since May 15, 2026