Stored XSS (CVE‑2026‑6824) in CP Plus 8‑Channel Network Video Recorder Endangers Critical Surveillance
What It Is — A stored cross‑site scripting (XSS) flaw (CVE‑2026‑6824) in the web interface of CP Plus 8‑channel NVRs allows an attacker to embed malicious JavaScript that runs in the browser of any authenticated user or administrator. The vulnerability stems from insufficient sanitization of user‑supplied input in several firmware modules.
Exploitability — Publicly disclosed; proof‑of‑concept scripts are available. CVSS v3.1 base score 8.4 (High). Exploitation is feasible against any reachable NVR running the vulnerable firmware.
Affected Products — CP‑Plus 8‑Ch. Network Video Recorder:
- Hardware V1.0 (CP‑UNR‑108F1)
- Web firmware V3.2.7.128806 (CP‑UNR‑108F1)
- System firmware V4.001.00AT009.0.R (CP‑UNR‑108F1)
TPRM Impact — Organizations that embed CP Plus NVRs in commercial facilities, manufacturing plants, or emergency‑service sites face a supply‑chain risk: an attacker compromising a recorder can hijack video feeds, exfiltrate surveillance data, or disrupt operations, potentially cascading to partner networks.
Recommended Actions —
- Verify firmware version; upgrade to the vendor‑released patch or latest stable release.
- If a patch is unavailable, disable external web access and enforce strict network segmentation.
- Deploy a Web Application Firewall (WAF) rule to block script tags in NVR UI inputs.
- Enforce multi‑factor authentication for all NVR admin accounts.
- Conduct a focused security review of all deployed CP Plus devices and update incident‑response playbooks.
Source: CISA Advisory – ICSA‑26‑148‑05