CVE-2026-6824
Awaiting Analysis Awaiting Analysis - Queue

Stored XSS in 1xxx Series NVR Devices

Vulnerability report for CVE-2026-6824, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: ICS-CERT

Description

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue found in certain 1xxx series NVR devices. It occurs because the device does not properly sanitize user-supplied input in specific functional modules. As a result, attackers can inject malicious scripts that are persistently stored on the device backend.

When administrators or users access the affected pages, these stored malicious scripts execute in their browsers, potentially allowing attackers to hijack sessions, perform unauthorized actions, or steal data.

Impact Analysis

The impact of this vulnerability includes the risk of session hijacking, where attackers can take over user sessions to gain unauthorized access.

It can also lead to unauthorized actions being performed on behalf of legitimate users or administrators.

Additionally, sensitive data may be stolen through the execution of malicious scripts in users' browsers.

Overall, this can compromise the security and integrity of the affected NVR devices and the data they manage.

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in the affected NVR devices can lead to session hijacking, unauthorized actions, or data theft by executing malicious scripts in users' browsers.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to address this vulnerability may result in violations of these regulations due to potential data exposure or compromise of user sessions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart