CVE-2026-6824 HIGH

CVE-2026-6824: CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

Vendor Cp Plus
Product CP-UNR-108F1 Hardware
Weakness CWE-79 · XSS
Published May 29, 2026
Last update May 29, 2026

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated