Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Technical ContextAI
Nozomi Networks Guardian and its Central Management Console (CMC) are OT/ICS network visibility and security platforms, identified by CPE strings cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:* and cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*. The vulnerability resides in the Credentials Manager feature, which allows administrators to define named identities used for device credential management. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input - specifically an identity name - is not fully sanitized before being persisted and later reflected into a rendered HTML context. The injection is 'stored' (persistent) rather than reflected, so it survives server restarts and triggers on a delayed action (deletion attempt) rather than immediately on input. The platform's Content Security Policy partially mitigates the risk by blocking inline script execution, which prevents full XSS exploitation, but HTML tag injection itself remains effective for rendering phishing content, fake UI elements, or open redirect anchors.
RemediationAI
Upgrade Nozomi Networks Guardian and CMC to version 26.1.0 or later, which is the vendor-confirmed fix version per the advisory at https://security.nozominetworks.com/NN-2026:4-01. If immediate upgrade is not feasible, the most effective compensating control is to strictly limit administrative access to the Guardian and CMC Credentials Manager to the minimum number of trusted accounts, reducing the attack surface for credential compromise or malicious insider activity. Audit existing identity definitions in Credentials Manager for unexpected HTML tags or embedded links as an indicator of prior exploitation. Additionally, enforcing multi-factor authentication on administrative accounts would raise the bar for an attacker to reach the privilege level needed to plant the injection. Note that the existing CSP already prevents full XSS escalation, so no additional CSP tuning is required as a workaround - the residual risk is phishing and open redirect only.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209894
GHSA-m7v5-79cg-6pqf