CVE-2026-6824

A stored cross-site scripting XSS vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators o...

CVE-2026-34005

In Sofia on Xiongmai DVR/NVR AHB7008T-MH-V2 and NBD7024H-P 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol TCP port 34567 request to the NetWork.NetCommon configuration handler, because system is used...

EUVD-2022-47970

Malicious code in bioql PyPI...

CVE-2025-34056

CVE-2025-34056 affects AVTECH IP camera, DVR, and NVR devices. The vulnerability is an OS command injection in the PwdGrp.cgi endpoint that manages users/groups. Authenticated users can pass input via the pwd or grp parameters, which are embedded into system commands without proper sanitization, ...

CVE-2024-41886

CVE-2024-41886 affects an NVR where an attacker could inject malformed data into URL input parameters to trigger remote code execution and reboot the device. The root cause is improper handling of URL input leading to RCE, with an impact on availability (reboot) and negligible confidentiality/ in...

QNAP NAS/NVR Administrator Hash Disclosure

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'QNAP NAS/NVR Administrator Hash Disclosure', 'Description' = %q This module exploits combined heap and stack buffer overflows for QNAP NAS and NV...

Mirai Botnet’s Offspring InfectedSlurs Exploits Dual Zero-Days

Summary: A new Mirai-based malware botnet, InfectedSlurs, is actively conducting a sophisticated campaign by exploiting two zero-day remote code execution RCE vulnerabilities in routers and video recorder NVR devices. These vulnerabilities, currently being exploited in the wild, facilitate the...

CVE-2022-45460

CVE-2022-45460 affects XiongMai NVRs (e.g., MBD6304T and NBD6808T-PL) and is caused by a stack-based buffer overflow triggered by a long URI in a sprintf call on the web server. An unauthenticated, remote attacker can crash the web server and reboot the device, with potential arbitrary code execu...

NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution

The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been test...

CVE-2013-0144

Cross-site request forgery CSRF vulnerability in cgi-bin/createuser.cgi on QNAP VioStor NVR devices with firmware 4.0.3 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a NEW USER action...