CVE-2026-6824 PUBLISHED

CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

Assigner: icscert
Reserved: 21.04.2026 Published: 29.05.2026 Updated: 29.05.2026

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 8.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	CP Plus
Product	CP-UNR-108F1 Hardware
Versions	Default: unaffected Version 1.0 is affected

Vendor	CP Plus
Product	CP-UNR-108F1 Web
Versions	Default: unaffected Version 3.2.7.128806 is affected

Vendor	CP Plus
Product	CP-UNR-108F1 System
Versions	Default: unaffected Version 4.001.00AT009.0.R is affected

Solutions

CP Plus recommends updating the firmware on the device to the latest firmware version. CP-UNR-AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326 can be downloaded at: https://drive.google.com/file/d/1Ctxdp55UtlrQY7CSepkImM9zFgdcuCyL/view

For firmware access and upgrade instructions, please contact CP Plus

support at: Phone: +91-8800952952 Email: support@cpplusworld.com mailto:support@cpplusworld.com

Credits

Jithin Nambiar J reported this vulnerability to CISA. finder

References

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE