CVE-2025-40894

March 5, 2026, 6:52 p.m.

2.1
Low

Description

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Product(s) Impacted

Vendor Product Versions
Nozominetworks
  • Cmc
  • Guardian
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nozominetworks cmc / / / / / / / /
a nozominetworks guardian / / / / / / / /

References

https://security.nozominetworks.com/NN-2025:16-01

Tags

CWE-79
[email protected]
2026-03-04
CVE-2025-40894

CVSS Score

2.1 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: March 4, 2026, 2:16 p.m.
Last Modified: March 5, 2026, 6:52 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.