PatchSiren cyber security CVE debrief
CVE-2026-6824 CP Plus CVE debrief
A stored cross-site scripting (XSS) vulnerability in certain 1xxx series Network Video Recorder (NVR) devices allows authenticated attackers with high privileges to inject malicious scripts that persist on the device backend. When administrators or users subsequently access affected pages, the stored scripts execute in their browsers, potentially enabling session hijacking, unauthorized actions, or data theft. The vulnerability stems from insufficient sanitization of user-supplied input in specific functional modules. CISA published this advisory on May 29, 2026 (ICS Advisory ICSA-26-148-05). The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, user interaction required, and changed scope with high impacts to confidentiality, integrity, and availability.
- Vendor
- CP Plus
- Product
- CP-UNR-108F1 Hardware
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations deploying 1xxx series NVR devices for video surveillance; OT/ICS security teams managing physical security systems; facility security administrators; critical infrastructure operators with integrated video management systems
Technical summary
The vulnerability exists in specific functional modules of 1xxx series NVR devices where user-supplied input is insufficiently sanitized before persistent storage. An attacker with high privileges (PR:H) can inject malicious scripts that are stored on the device backend. Subsequent access by administrators or users triggers execution of these scripts in the browser context (UI:R). The changed scope (S:C) indicates impact beyond the vulnerable component. The CVSS 3.1 score of 8.4 reflects severe potential impacts to confidentiality, integrity, and availability (all rated HIGH) despite the high privilege requirement, due to the network accessibility and low attack complexity.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor firmware updates for affected 1xxx series NVR devices when available, per CISA ICS-CERT guidance
- Restrict network access to NVR administrative interfaces to trusted management networks only
- Implement multi-factor authentication for all administrative accounts on affected NVR systems
- Monitor for anomalous administrative sessions or unexpected script execution in browser-based management consoles
- Review and validate input sanitization in custom integrations with NVR web interfaces
- Consider network segmentation to isolate NVR devices from untrusted networks and user workstations
Evidence notes
Primary source is CISA ICS-CERT advisory ICSA-26-148-05. The CVE description and CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H) are sourced from NVD. CWE-79 (Improper Neutralization of Input During Web Page Generation) is identified as the primary weakness. Vendor identification remains uncertain—'Unknown Vendor' with low confidence based on reference domain analysis; the product appears to be 1xxx series NVR devices.
Official resources
CISA ICS-CERT disclosed this vulnerability on May 29, 2026 via ICS Advisory ICSA-26-148-05. The NVD record was published the same day with vulnerability status 'Received'. No known exploitation in ransomware campaigns has been reported.