BetaIT-Hub is in early access — your feedback helps us improve. Use the chat or email [email protected]

News Vulnerability
VulnerabilityCISA·6d ago

CP Plus 8 Ch. Network Video Recorder

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability allows an attacker's malicious script to execute in the browser of any authenticated user or administrator who accesses the affected interface. This could lead to compromise of user sessions, execution of unauthorized actions with the victim's privileges, exposure or manipulation of sensitive data, and degradation of overall system integrity. /strong /p p The following versions of CP Plus 8 Ch. Network Video Recorder are affected: /p ul li CP-UNR-108F1 Hardware V1.0 /li li CP-UNR-108F1 Web V3.2.7.128806 nbsp; /li li CP-UNR-108F1 System V4.001.00AT009.0.R nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.4 /td td CP Plus /td td CP Plus 8 Ch. Network Video Recorder /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Emergency Services /li li strong Countries/Areas Deployed: /strong India, Nepal, United Arab Emirates, Gambia /li li strong Company Headquarters Location: /strong India /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6824 /a /h3 div class="csaf-accordion-content" p A stored Cross-Site Scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6824" View CVE Details /a /p hr h4 Affected Products /h4 h5 CP Plus 8 Ch. Network Video Recorder /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br CP Plus /div div class="ics-version" strong Product Version: /strong br CP Plus CP-UNR-108F1 Hardware: V1.0, CP Plus CP-UNR-108F1 Web: V3.2.7.128806, CP Plus CP-UNR-108F1 System: V4.001.00AT009.0.R /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br CP Plus recommends updating the firmware on the device to the latest firmware version. /p p strong Mit

Sign in to read the full article

Create a free account to access all news, downloads, and community features

Sign inCreate account

Originally published by CISA

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05

This article is shared for informational purposes. All rights belong to the original author and publisher. If you are the copyright holder and would like this content removed, please contact us.

Shared on IT-Hub by admin