How is CVE-2026-6824 exploited?

Network reachability (required): The attacker must reach the NVR's web interface over the network to submit the malicious input. Authentication (required): PR:H indicates an administrative or otherwise privileged account on the NVR is needed to store the payload. Victim interaction (required): Another administrator or user must browse to the affected page for the stored script to execute in their session. Attack complexity (info): AC:L indicates the exploit is reliable once the payload is stored, with no race conditions or environmental prerequisites.

What is the impact of CVE-2026-6824?

Executes attacker-controlled JavaScript in the victim's authenticated browser session against the NVR web UI. Reads session cookies and tokens, enabling hijacking of the victim's NVR session. Performs unauthorized actions as the victim, including changes to video feeds, user accounts, and device configuration. Exfiltrates data rendered in the victim's browser, such as camera streams, recordings metadata, and account details.

Back to search

HIGHCVE-2026-6824Published 2026-05-29Modified 2026-05-29CNA icscert

CVE-2026-6824: CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stored cross-site scripting flaw affects CP Plus 1xxx series 8-channel Network Video Recorder devices, where specific functional modules fail to sanitize user-supplied input before persisting it to the device backend. The bug is reachable over the network but requires an administrative account to plant the payload and another user to load the affected page, at which point injected scripts execute in the victim's browser and can hijack sessions, perform actions as the victim, or steal stored data. No upstream fix has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as CP Plus ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against firmware and container images in customer registries and build pipelines, including custom-built images. Coverage extends to images that embed the affected CP-UNR-108F1 web stack or system components.

Available

Triage

Triage is available with the published CVSS 3.1 score of 8.4 (High) applied as the baseline, then reweighted per environment against each customer's compliance policy (for example, devices on isolated CCTV VLANs may be deprioritized relative to internet-exposed NVRs). Findings are routed to the appropriate inbox inside each customer org based on image ownership and workload tags.

Available

Patch

No fix version has been published by CP Plus, so HarborGuard re-checks the advisory each ingest cycle for upstream patch availability. The moment a fixed firmware or image is released, a patched-image rebuild becomes available, and customers with auto-remediation enabled get the rebuild, a regression test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the NVR's web interface over the network to submit the malicious input.
AuthenticationRequired
PR:H indicates an administrative or otherwise privileged account on the NVR is needed to store the payload.
Victim interactionRequired
Another administrator or user must browse to the affected page for the stored script to execute in their session.
Attack complexityDetail
AC:L indicates the exploit is reliable once the payload is stored, with no race conditions or environmental prerequisites.

Blast Radius

Executes attacker-controlled JavaScript in the victim's authenticated browser session against the NVR web UI.
Reads session cookies and tokens, enabling hijacking of the victim's NVR session.
Performs unauthorized actions as the victim, including changes to video feeds, user accounts, and device configuration.
Exfiltrates data rendered in the victim's browser, such as camera streams, recordings metadata, and account details.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the CP Plus advisory with automatic re-check on every ingest cycle, so a patched-image rebuild surfaces the moment CP Plus publishes fixed firmware. In the meantime, compensating-control guidance is available, including isolating NVR management interfaces on a dedicated VLAN, restricting administrative access to known jump hosts, enforcing egress filtering from the NVR network, and limiting which accounts hold the privileged role required to store content in the vulnerable modules. For environments that opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be generated automatically once the upstream fix lands.

See how HarborGuard automates this

CVSS v3.1: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 3

Affected packages

CP Plus / CP-UNR-108F1 Hardware
1.0
CP Plus / CP-UNR-108F1 Web
3.2.7.128806
CP Plus / CP-UNR-108F1 System
4.001.00AT009.0.R

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

References