Stored HTML Injection in Schedule Restore Archive Functionality Affects Nozomi Networks
CVE-2025-40903

4.8MEDIUM

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 19 May 2026

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40903?

A Stored HTML Injection vulnerability exists within the Schedule Restore Archive functionality due to inadequate input parameter validation. An authenticated user with administrative access can create a malicious restore schedule that includes harmful HTML tags. When another user views this schedule, the malicious HTML executes in their browser, raising the risk of phishing attacks and open redirect exploits. While complete XSS exploitation and information disclosure are mitigated by current input validation and Content Security Policy configurations, the potential for harm through this vulnerability remains significant.

Affected Version(s)

CMC 0 < 26.1.0

Guardian 0 < 26.1.0

References

https://security.nozominetworks.com/NN-2026:6-01

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.

CVE-2025-40903 Data

JSON