CVE-2026-6824
Stored XSS in 1xxx Series NVR Devices
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue found in certain 1xxx series NVR devices. It occurs because the device does not properly sanitize user-supplied input in specific functional modules. As a result, attackers can inject malicious scripts that are persistently stored on the device backend.
When administrators or users access the affected pages, these stored malicious scripts execute in their browsers, potentially allowing attackers to hijack sessions, perform unauthorized actions, or steal data.
How can this vulnerability impact me? :
The impact of this vulnerability includes the risk of session hijacking, where attackers can take over user sessions to gain unauthorized access.
It can also lead to unauthorized actions being performed on behalf of legitimate users or administrators.
Additionally, sensitive data may be stolen through the execution of malicious scripts in users' browsers.
Overall, this can compromise the security and integrity of the affected NVR devices and the data they manage.