CVE-2026-6824 - Vulnerability Details

- CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

Description

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

Published: 2026-05-29

Score: 8.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows attackers to inject malicious scripts that are stored on the device, executing in the browsers of administrators or users when they view affected pages. This fault stems from insufficient input sanitization in certain functional modules, enabling persistent client‑side code execution and compromising confidentiality, integrity, and availability of the system as viewed by the user.

Affected Systems

CP Plus devices in the 1xxx series, specifically the CP‑UNR‑108F1 hardware, system and web components. No version ranges are specified in the vendor notes.

Risk and Exploitability

The CVSS score of 8.4 classifies the issue as High severity. Though EPSS data is not provided, the lack of a CISA KEV listing suggests limited but possible exploitation risk. Based on the description, it is inferred that attackers would target the device’s web interface, submitting crafted input that is later rendered and executed when an authenticated user accesses the affected page. The likely attack vector is the web interface, and given its persistent storage nature, any logged‑in user would be affected.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CP Plus

CP-UNR-108F1 Hardware

unaffected

Version	Status	Constraints
`1.0`	affected	—

CP Plus

CP-UNR-108F1 Web

unaffected

Version	Status	Constraints
`3.2.7.128806`	affected	—

CP Plus

CP-UNR-108F1 System

unaffected

Version	Status	Constraints
`4.001.00AT009.0.R`	affected	—

No data.

No data available yet.

Remediation

Vendor Solution

CP Plus recommends updating the firmware on the device to the latest firmware version. CP-UNR-AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326 can be downloaded at: https://drive.google.com/file/d/1Ctxdp55UtlrQY7CSepkImM9zFgdcuCyL/view For firmware access and upgrade instructions, please contact CP Plus support at: Phone: +91-8800952952 Email: support@cpplusworld.com mailto:support@cpplusworld.com

OpenCVE Recommended Actions

Upgrade the firmware to the latest release, CP‑UNR‑AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326, as recommended by CP Plus
If a firmware upgrade is not immediately possible, restrict access to the management interface by IP address or VPN, and disable or isolate the functional modules that accept user input
Apply web‑application security controls such as strict input validation, output encoding, and content‑security policies to mitigate the impact of potential future XSS attempts

Generated by OpenCVE AI on May 29, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://drive.google.com/file/d/1Ctxdp55UtlrQY7CSepkImM9zFgdcuCyL/view
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05

History

Fri, 29 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
Title		CP Plus 8 Ch. Network Video Recorder Cross-site Scripting
Weaknesses		CWE-79
References		https://drive.google.com/file/d/1Ctxdp55UtlrQY7CSepkImM9zFgdcuCyL/view https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-05-29T16:41:04.548Z

Updated: 2026-05-29T19:38:25.538Z

Reserved: 2026-04-21T20:27:05.770Z

Link: CVE-2026-6824

Vulnrichment

Updated: 2026-05-29T19:38:21.385Z

NVD

Status : Received

Published: 2026-05-29T18:17:13.147

Modified: 2026-05-29T18:17:13.147

Link: CVE-2026-6824

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T19:15:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object