Stored Cross-Site Scripting Vulnerability in Dashboard Functionality from Nozomi Networks
CVE-2025-40890

5.8MEDIUM

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 25 November 2025

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40890?

A vulnerability in the Dashboard functionality of Nozomi Networks allows an authenticated low-privilege user to create a malicious dashboard containing a JavaScript payload. This payload can be shared with unsuspecting users or can be imported by a victim who has been socially engineered. Once the victim views or imports the compromised dashboard, the malicious JavaScript executes in their browser context, empowering the attacker to perform unauthorized actions such as altering application data, disrupting the application's availability, and accessing sensitive information that is typically restricted. It highlights the importance of robust input validation and user awareness to prevent exploitation.

Affected Version(s)

CMC 0 < 25.4.0

Guardian 0 < 25.4.0

References

https://security.nozominetworks.com/NN-2025:11-01

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

ENCS found this issue during a VAPT testing session commissioned by one of our customers.

JSON