CVE-2026-6824: Stored XSS in 1xxx Series NVR Devices – Critical Vulnerability Analysis
A stored cross-site scripting (XSS) vulnerability affects certain 1xxx series network video recorder (NVR) devices. Attackers with high-level administrative access can inject malicious JavaScript into the device through specific functional modules that fail to properly validate user input. Unlike reflected XSS attacks that require a user to click a malicious link, this vulnerability persists on the NVR backend—meaning when any administrator or authorized user logs in and views the compromised pages, the attacker's scripts run automatically in their browser session without additional user interaction beyond normal login. This could enable an attacker to impersonate users, perform unauthorized actions on the device or connected systems, or exfiltrate sensitive data like recordings or credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate input sanitization in specific functional modules of 1xxx series NVR devices. An authenticated attacker with high privileges (PR:H) can inject arbitrary HTML and JavaScript that becomes persistently stored in the device's backend database or configuration. When an administrator or user accesses the affected functionality, the stored payload executes in their browser within the security context of the NVR's web interface. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H) indicates network accessibility, low attack complexity, high privilege requirement, user interaction dependency, scope change across security boundaries, and high impact to confidentiality, integrity, and availability. The vulnerability maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical weakness for XSS flaws.
Business impact
For organizations operating surveillance infrastructure, this vulnerability presents a multi-faceted risk. An insider or a privileged threat actor could compromise the integrity of security footage, modify device settings without audit trails, or harvest administrator credentials for lateral movement. The stored nature of the attack means the compromise persists across reboots and updates until the malicious payload is discovered and removed. For facilities relying on NVR systems for physical security, compliance, or investigative purposes, the ability to manipulate or exfiltrate recordings directly undermines the trustworthiness of the entire surveillance system. Additionally, scope change (S:C in the CVSS vector) indicates the attacker may be able to impact resources beyond the NVR itself, potentially affecting network segments or integrated security systems.
Affected systems
This vulnerability specifically affects NVR devices in the 1xxx product series. The vendors_products field in the source data is empty, meaning the specific vendor and exact model numbers are not provided in the ground-truth data. Organizations using 1xxx series NVRs should consult the vendor's official security advisory to determine which sub-models and firmware versions are impacted and which have been patched. Devices in this series that have not been updated to a patched firmware version are vulnerable if an attacker can authenticate with administrative credentials.
Exploitability
Exploitation requires an authenticated attacker with high-level administrative privileges (PR:H), which is a significant control that limits the attack surface. However, given that many organizations struggle with credential hygiene and privilege escalation is a common lateral-movement technique, this requirement should not be considered a strong mitigation. The attack complexity is low (AC:L), meaning once an attacker has administrative access, successfully injecting and storing malicious scripts does not require specialized conditions or extensive reconnaissance. User interaction (UI:R) is required for the payload to execute—specifically, a victim administrator must visit the affected pages—but this is a routine administrative task and therefore a relatively weak control. Overall, the vulnerability is moderately difficult to exploit but poses a serious risk in environments where administrative credentials may be compromised or where threat actors already have network access.
Remediation
The primary remediation is to apply the vendor's patched firmware version to affected 1xxx series NVRs. Verify the specific patched version against the vendor's security advisory. Until patches can be applied, implement compensating controls: restrict administrative access to the NVR web interface using firewall rules or VPN requirements, enforce multi-factor authentication for administrative logins if available, and monitor NVR access logs for suspicious activity. Conduct a security audit of stored configurations and administrative settings to detect any injected scripts or unauthorized modifications. If malicious scripts have been detected, perform a factory reset or reinstall the firmware to eliminate the persistent payload. Additionally, review and rotate all administrative credentials for the affected NVRs and any systems they can access.
Patch guidance
Contact the vendor or visit their security advisory portal to identify the patched firmware version for your specific 1xxx series model and current firmware level. Verify the availability and release date of the patch before scheduling deployment. Test the patch in a non-production environment if possible to ensure compatibility with your current configuration, integrations, and backup systems. Plan for a maintenance window, as firmware updates typically require device restart. After patching, verify that the NVR functionality is restored, that no configurations were corrupted, and that recordings are intact. Document the patch application date and version for audit compliance. For devices that cannot be patched immediately, implement the compensating controls outlined in the remediation section.
Detection guidance
Monitor NVR access logs and authentication events for failed login attempts or unusual administrative account activity. Review web server logs and configuration files for unexpected HTML or JavaScript patterns, particularly in any user-supplied fields such as device names, descriptions, or custom labels. Use your security information and event management (SIEM) system to correlate multiple failed login attempts followed by successful administrative access, which could indicate a credential compromise. If you have the ability to inspect the NVR's stored configuration or database, search for common XSS payload markers (e.g., <script>, javascript:, onerror=, onload=). Implement network-level detection by monitoring for large or unusual HTTP POST requests to the NVR's configuration endpoints. Consider periodic manual review of the NVR web interface for visual anomalies or unexpected dialog boxes, which could indicate stored XSS payloads. If your organization has a web application firewall or intrusion detection system, configure it to flag XSS pattern attempts on NVR administrative interfaces.
Why prioritize this
Despite not being on the CISA Known Exploited Vulnerabilities (KEV) catalog, this vulnerability merits high-priority remediation due to its HIGH CVSS score (8.4), the persistent nature of stored XSS, the critical role of NVR systems in physical security infrastructure, and the potential for data exfiltration or tampering. The requirement for administrative privileges reduces immediate threat, but the widespread use of weak or reused credentials in operational technology environments means that privilege assumption is a realistic threat scenario. Organizations should prioritize patching based on network segmentation: NVRs directly accessible from untrusted networks should be patched first, followed by those in restricted administrative networks.
Risk score, explained
The CVSS 3.1 score of 8.4 (HIGH) reflects: (1) Network Attack Vector—the vulnerability is exploitable remotely without physical access; (2) Low Attack Complexity—no special conditions or extensive setup required; (3) High Privilege Requirement—a significant limiting factor that prevents opportunistic exploitation by external, unauthenticated threat actors; (4) Required User Interaction—an administrator must actively visit the affected page, which mitigates the risk but is a routine action; (5) Scope Change—the attack can affect security properties of the system itself and potentially other systems or security domains; and (6) High Impact across Confidentiality, Integrity, and Availability—an attacker can read sensitive data (recordings, credentials), modify device behavior or recordings, and potentially disrupt NVR operation. The score is moderately high rather than critical primarily because of the privilege and user interaction requirements, but the persistent nature and broad impact justify treating it as a significant organizational risk.
Frequently asked questions
What is the difference between stored XSS and reflected XSS, and why does it matter for this vulnerability?
Reflected XSS requires an attacker to trick a user into clicking a malicious link; the payload executes once in that user's browser but is not saved on the server. Stored XSS, as in this vulnerability, is injected once and persists in the device's backend. Every subsequent time an administrator logs in and views the compromised page, the malicious script runs automatically without requiring the user to click anything. This makes stored XSS far more dangerous and difficult to detect because the attack repeats itself indefinitely across multiple users and sessions until the payload is removed.
Why is administrative privilege required to exploit this vulnerability, and does that make it safe to ignore?
The vulnerability requires high-privilege credentials because the vulnerable input fields are in administrative or configuration modules of the NVR. However, privilege requirement should not be conflated with safety. Insider threats, credential compromise through phishing or lateral movement, shared administrative accounts, and poor access controls are endemic in many organizations. Additionally, once an attacker achieves administrative access through other means (e.g., weak default credentials, unpatched vulnerabilities on the network), this XSS flaw becomes an immediately available pivot to harvest further credentials or disrupt the surveillance system. Treat it as a high-priority follow-up risk.
Our NVR has been isolated on a restricted network. Do we still need to patch this vulnerability immediately?
Network isolation is a valuable compensating control and significantly reduces your immediate risk. However, isolation is not a permanent solution because: (1) maintenance access may still be required; (2) isolated networks can be compromised through insider access, supply chain attacks, or lateral movement from adjacent network segments; (3) the longer you defer patching, the greater the window for a sophisticated attacker to exploit a compromised NVR and use it as a pivot point. Plan to patch within your normal change management cycle, but prioritize NVRs with broader network access or external connectivity first.
How do I know if my NVR has already been compromised by this vulnerability?
Check your NVR access logs for unusual administrative login activity, especially from unexpected IP addresses or times. Inspect the device's configuration and any custom fields (device names, labels, descriptions) for suspicious HTML or JavaScript code, particularly strings containing <script>, javascript:, or event handlers like onerror= or onload=. Use your browser's developer console (F12) when logged into the NVR web interface to inspect the HTML source for injected code. If you suspect compromise, apply compensating controls immediately (restrict access, rotate credentials), document the evidence, and escalate to your security and incident response teams before patching, as the patch may overwrite forensic artifacts.
This analysis is provided for informational purposes by SEC.co and represents our interpretation of publicly disclosed vulnerability information as of the publication date. Vendors_products field in the source data was empty; we recommend consulting the official vendor security advisory to confirm affected models and patched versions. CVSS scores, KEV status, and CWE mappings are based on official CVE record data and subject to change. This writeup does not constitute legal advice, assurance of coverage, or a guarantee of risk mitigation. Organizations must conduct their own vulnerability assessments and apply patches according to their risk management and change control policies. No proof-of-concept or exploitation details are provided; security testing should be conducted only in controlled environments with proper authorization. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)