Stored HTML Injection in N2OS by Nozomi Networks
CVE-2026-31981
What is CVE-2026-31981?
A vulnerability present in N2OS allows authenticated users with administrative privileges to perform Stored HTML Injection via a shared input validation function that is insufficiently restrictive. This issue can be exploited through various input vectors, allowing the injection of malicious HTML into N2OS configuration data. When a user views this data in the Diagram tab and Graph view, the malicious content can execute in the victim's browser, potentially leading to phishing attacks and open redirect vulnerabilities. While the existing input validation and Content Security Policy configurations mitigate full cross-site scripting (XSS) exploitation and direct information disclosure, the risk remains significant for impacted users.
Affected Version(s)
CMC 0 < 26.2.0
Guardian 0 < 26.2.0
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
