A stored XSS vulnerability (CVE‑2026‑6824) has been identified in CP Plus 8‑channel network video recorders.
The flaw stems from inadequate sanitisation of user‑supplied input in the device’s web interface. When malicious script is saved on the backend, any authenticated user or administrator who opens the affected page executes the script in their browser. The attack can hijack sessions, issue commands with the victim’s privileges, and expose or tamper with recorded video data. The issue affects hardware version V1.0 and web/system firmware versions V3.2.7.128806 and V4.001.00AT009.0.R, with a CVSS‑3.1 base score of 8.4 (high).
For operators of critical infrastructure—commercial facilities, manufacturing plants, and emergency services—this turns a surveillance device into a foothold for broader network compromise. The vulnerability is stored, meaning it persists until the firmware is patched, and it can be triggered remotely if the NVR is reachable from the internet.
Until the firmware update (CP‑UNR‑AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326) is applied, administrators should treat affected NVRs as untrusted, isolate them from external networks, and restrict web access to trusted internal hosts.