Stored HTML Injection Vulnerability in Credentials Manager by Vendor
CVE-2025-40901

4.8MEDIUM

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 19 May 2026

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40901?

A vulnerability arises in the Credentials Manager functionality where improper validation of input parameters allows an authenticated administrator to create a malicious identity with embedded HTML tags. This poses significant risks when a victim attempts to delete the compromised identity as the injected HTML can execute in their browser. Such exploitation can lead to phishing attacks and may also expose users to open redirect vulnerabilities, despite safeguards like input validation and Content Security Policy being in place to mitigate full XSS attacks and direct information disclosures.

Affected Version(s)

CMC 0 < 26.1.0

Guardian 0 < 26.1.0

References

https://security.nozominetworks.com/NN-2026:4-01

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.

CVE-2025-40901 Data

JSON