[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-cp-plus-nvr-firmware-flaw-lets-stored-xss-hijack-admin-sessions":10},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":30,"persona_id":22,"persona_name":22,"section":22,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},1014,"cp-plus-nvr-firmware-flaw-lets-stored-xss-hijack-admin-sessions","CP Plus NVR firmware flaw lets stored XSS hijack admin sessions","A stored cross‑site scripting bug in CP Plus 8‑channel NVRs scores 8.4 CVSS and can be fixed with a firmware update.","A stored XSS vulnerability (CVE‑2026‑6824) has been identified in CP Plus 8‑channel network video recorders.\n\nThe flaw stems from inadequate sanitisation of user‑supplied input in the device’s web interface. When malicious script is saved on the backend, any authenticated user or administrator who opens the affected page executes the script in their browser. The attack can hijack sessions, issue commands with the victim’s privileges, and expose or tamper with recorded video data. The issue affects hardware version V1.0 and web\u002Fsystem firmware versions V3.2.7.128806 and V4.001.00AT009.0.R, with a CVSS‑3.1 base score of 8.4 (high).\n\nFor operators of critical infrastructure—commercial facilities, manufacturing plants, and emergency services—this turns a surveillance device into a foothold for broader network compromise. The vulnerability is stored, meaning it persists until the firmware is patched, and it can be triggered remotely if the NVR is reachable from the internet.\n\nUntil the firmware update (CP‑UNR‑AxxxMars_PN_15_Q_00_V1.00.14.01.T.260326) is applied, administrators should treat affected NVRs as untrusted, isolate them from external networks, and restrict web access to trusted internal hosts.","[\"cve\",\"network-video-recorder\",\"ics-security\"]","2026-05-28T12:00:00.000Z","2026-06-16T03:58:56.842Z","2026-06-16T03:59:03.389Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"Add a clear concluding paragraph summarising the risk and the recommended action, e.g., “Until the firmware update is applied, administrators should treat affected NVRs as untrusted and isolate them from external networks.”","resolved","https:\u002F\u002Fcdn.xyz.onl\u002Farticle-images\u002Fcp-plus-nvr-firmware-flaw-lets-stored-xss-hijack-admin-sessions.webp",[32,33,34],"cve","network-video-recorder","ics-security",[36],{"name":37,"url":38},"CISA Advisories","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-148-05",0]