Stored HTML Injection in N2OS by Nozomi Networks
CVE-2026-31981

4.8MEDIUM

Key Information:

Vendor
CVE Published:
9 July 2026

What is CVE-2026-31981?

A vulnerability present in N2OS allows authenticated users with administrative privileges to perform Stored HTML Injection via a shared input validation function that is insufficiently restrictive. This issue can be exploited through various input vectors, allowing the injection of malicious HTML into N2OS configuration data. When a user views this data in the Diagram tab and Graph view, the malicious content can execute in the victim's browser, potentially leading to phishing attacks and open redirect vulnerabilities. While the existing input validation and Content Security Policy configurations mitigate full cross-site scripting (XSS) exploitation and direct information disclosure, the risk remains significant for impacted users.

Affected Version(s)

CMC 0 < 26.2.0

Guardian 0 < 26.2.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.
.