Skip to main content

CP Plus NVR EUVDEUVD-2026-33363

| CVE-2026-6824 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-29 icscert GHSA-99qx-w46m-63ww
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 17:50 vuln.today

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

AnalysisAI

Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected devices are CP Plus CP-UNR-108F1 Network Video Recorders, a line of physical surveillance appliances used in IP camera deployments, with the flaw spanning the hardware platform, embedded web management interface, and underlying system firmware per the CPE coverage. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where input submitted to specific functional modules of the web UI is stored without HTML/JavaScript-context output encoding and later rendered verbatim back into administrative pages. Because the payload is persistent on the device backend rather than reflected in a single request, every administrator who later visits the affected management page becomes a victim, and the scripts execute within the trusted origin of the NVR's management portal.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied input - the references point only to the CISA ICS advisory ICSA-26-148-05 and CSAF document rather than a tagged firmware release, so administrators should consult those advisories (https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05) for the latest CP Plus firmware guidance and apply the vendor-fixed image as soon as it is published. Compensating controls in the interim: place the NVR management interface on a dedicated, ACL-restricted management VLAN reachable only from a hardened jump host (trade-off: blocks legitimate remote admin from operator workstations); reduce the number of accounts holding high-privilege roles to limit who can plant a stored payload (trade-off: increases operational toil for shared environments); have administrators use a separate, hardened browser profile with scripting disabled for the NVR UI where feasible (trade-off: may break some management widgets); and monitor NVR audit logs for unexpected configuration changes in the modules accepting user-supplied strings.

Share

EUVD-2026-33363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy