Stored HTML Injection in Alerted Nodes Dashboard by Nozomi Networks
CVE-2025-40894

2.1LOW

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 4 March 2026

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40894?

A vulnerability was identified in the Alerted Nodes Dashboard of Nozomi Networks due to inadequate input validation in an input parameter. Malicious authenticated users can exploit this flaw to inject HTML tags by modifying a node label. If alerts are generated for the compromised node, the injected HTML can be displayed in the browser of users accessing the dashboard, potentially leading to phishing attacks and open redirect exploits. While the risk of full XSS exploitation and direct information leakage is mitigated by existing input validation and Content Security Policy, the potential for deception through manipulated content remains a concern.

Affected Version(s)

CMC 0 < 25.6.0

Guardian 0 < 25.6.0

References

https://security.nozominetworks.com/NN-2025:16-01

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was found by Stefano Libero of Nozomi Networks Product Security team during an internal investigation.

CVE-2025-40894 Data

JSON