The vulnerability involves a local file disclosure flaw in NUUO NVRmini devices, where the 'css' parameter in 'css_parser.php' is improperly sanitized, allowing attackers to read arbitrary files. The provided code includes HTTP request/response examples demonstrating the exploit.