## Critical XSS Vulnerability Discovered in CP Plus Network Video Recorders **CISA** has issued an advisory regarding a critical vulnerability affecting **CP Plus** 8 Ch. Network Video Recorders. The vulnerability, identified as **CVE-2026-6824**, is a stored Cross-Site Scripting (XSS) flaw that could allow attackers to compromise user sessions and sensitive data. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json) ### Impact Successful exploitation of this vulnerability allows an attacker's malicious script to execute in the browser of any authenticated user or administrator who accesses the affected interface. This could lead to: * Compromise of user sessions * Execution of unauthorized actions with the victim's privileges * Exposure or manipulation of sensitive data * Degradation of overall system integrity ### Affected Products The following versions of **CP Plus** 8 Ch. Network Video Recorder are affected: * CP-UNR-108F1 Hardware V1.0 * CP-UNR-108F1 Web V3.2.7.128806 * CP-UNR-108F1 System V4.001.00AT009.0.R ### Vulnerability Details **CVE-2026-6824**: A stored Cross-Site Scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-6824) #### Affected Products **Vendor:** CP Plus **Product Version:** CP Plus CP-UNR-108F1 Hardware: V1.0, CP Plus CP-UNR-108F1 Web: V3.2.7.128806, CP Plus CP-UNR-108F1 System: V4.001.00AT009.0.R **Product Status:** known_affected **Relevant CWE:** [CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html) ### Background * **Critical Infrastructure Sectors:** Commercial Facilities, Critical Manufacturing, Emergency Services * **Countries/Areas Deployed:** India, Nepal, United Arab Emirates, Gambia * **Company Headquarters Location:** India ### Mitigation **CISA** recommends users take the following defensive measures to minimize the risk of exploitation: * Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (**VPNs**), recognizing **VPNs** may have vulnerabilities and should be updated to the most current version available. Also recognize **VPN** is only as secure as the connected devices. * Perform proper impact analysis and risk assessment prior to deploying defensive measures. **CISA** also reminds users to be vigilant against social engineering attacks: * Do not click web links or open attachments in unsolicited email messages. ### Acknowledgments * Jithin Nambiar J reported this vulnerability to **CISA**