Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
AnalysisAI
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected devices are CP Plus CP-UNR-108F1 Network Video Recorders, a line of physical surveillance appliances used in IP camera deployments, with the flaw spanning the hardware platform, embedded web management interface, and underlying system firmware per the CPE coverage. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where input submitted to specific functional modules of the web UI is stored without HTML/JavaScript-context output encoding and later rendered verbatim back into administrative pages. Because the payload is persistent on the device backend rather than reflected in a single request, every administrator who later visits the affected management page becomes a victim, and the scripts execute within the trusted origin of the NVR's management portal.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied input - the references point only to the CISA ICS advisory ICSA-26-148-05 and CSAF document rather than a tagged firmware release, so administrators should consult those advisories (https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05) for the latest CP Plus firmware guidance and apply the vendor-fixed image as soon as it is published. Compensating controls in the interim: place the NVR management interface on a dedicated, ACL-restricted management VLAN reachable only from a hardened jump host (trade-off: blocks legitimate remote admin from operator workstations); reduce the number of accounts holding high-privilege roles to limit who can plant a stored payload (trade-off: increases operational toil for shared environments); have administrators use a separate, hardened browser profile with scripting disabled for the NVR UI where feasible (trade-off: may break some management widgets); and monitor NVR audit logs for unexpected configuration changes in the modules accepting user-supplied strings.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33363
GHSA-99qx-w46m-63ww