CVE-2025-40894 PUBLISHED

HTML injection in Alerted Nodes Dashboard in Guardian/CMC before 25.6.0

Assigner: Nozomi
Reserved: 16.04.2025 Published: 04.03.2026 Updated: 04.03.2026

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter.

A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 2.1

Product Status

Vendor Nozomi Networks
Product Guardian
Versions Default: unaffected
  • affected from 0 to 25.6.0 (excl.)
Vendor Nozomi Networks
Product CMC
Versions Default: unaffected
  • affected from 0 to 25.6.0 (excl.)

Solutions

Upgrade to v25.6.0 or later.

Credits

  • This issue was found by Stefano Libero of Nozomi Networks Product Security team during an internal investigation. finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

  • CAPEC-592 Stored XSS