CISA 2026-05-28

CP Plus 8 Ch. Network Video Recorder

CVE-2026-6824

Machine-generated analysis · WAYSCloud LLM

The advisory specifies a stored XSS vulnerability that persists in the device backend and executes when users access affected pages.

Context

The affected product is the CP Plus 8 Ch. Network Video Recorder, a network video recording device used for video surveillance. The advisory states that a stored cross-site scripting vulnerability exists due to insufficient sanitization of user input in certain modules, allowing malicious scripts to execute in authenticated users' browsers. This could lead to session compromise, unauthorized actions, or data manipulation. The advisory explicitly notes deployment in commercial facilities, critical manufacturing, and emergency services across several countries.

Operator considerations

Check: Inventory CP Plus 8 Ch. NVR devices with hardware V1.0, web V3.2.7.128806, or system V4.001.00AT009.0.R. Patch: Update firmware to version CP-UNR-AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326 using the provided link. Log: Monitor web interface access logs for unexpected script execution or anomalous user behavior.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability allows an attacker's malicious script to execute in the browser of any authenticated user or administrator who accesses the affected interface. This could lead to compromise of user sessions, execution of unauthorized actions with the victim's privileges, exposure or manipulation of sensitive data, and degradation of overall system integrity.

The following versions of CP Plus 8 Ch. Network Video Recorder are affected:

CP-UNR-108F1 Hardware V1.0

CP-UNR-108F1 Web V3.2.7.128806

CP-UNR-108F1 System V4.001.00AT009.0.R

Vendor

Equipment

CP Plus

CP Plus 8 Ch. Network Video Recorder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Emergency Services

Countries/Areas Deployed: India, Nepal, United Arab Emirates, Gambia

Com...

Read the full advisory on CISA →