CVE-2026-38740

EUVD-2026-30372

14.05.2026, 19:16

Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over network interfaces. An attacker with network visibility can intercept these credentials to hijack media streams or authenticate to Foscam's TURN/relay infrastructure to forward arbitrary traffic at the vendor's expense.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-319 - Cleartext Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References

https://github.com/victorGoeman/Foscam-Security-Research/blob/main/CVE-2026-38740.md