Skip to main content

Nozomi Guardian CVE-2025-40902

| EUVDEUVD-2025-209893 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 Nozomi GHSA-qhx5-6j68-67q4
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 14:34 vuln.today
CVSS changed
May 19, 2026 - 14:22 NVD
5.9 (MEDIUM) 4.8 (MEDIUM)
Patch available
May 19, 2026 - 14:02 EUVD

DescriptionCVE.org

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

AnalysisAI

Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS subtype), rooted in insufficient server-side or output-encoding validation of the username input field in the Users management functionality. The application stores the unsanitized value and later reflects it into a deletion confirmation or group management page without HTML-encoding, allowing injected tags to be parsed and rendered by the victim's browser. Affected products are identified by CPE strings cpe:2.3:a:nozomi_networks:guardian and cpe:2.3:a:nozomi_networks:cmc, both covering all versions below 26.1.0. Guardian is Nozomi Networks' OT/IoT network visibility and security sensor platform; CMC (Central Management Console) is its centralized management layer. The platform's existing Content Security Policy configuration provides a meaningful partial defense, blocking execution of injected scripts and preventing direct information disclosure, but does not neutralize HTML element injection or anchor-tag-based open redirects.

RemediationAI

The vendor-released patch is Guardian 26.1.0 and CMC 26.1.0, which resolve the improper input validation in the username field. Organizations should upgrade to these versions or later as the primary remediation, referencing the vendor advisory at https://security.nozominetworks.com/NN-2026:5-01 for upgrade guidance. If immediate patching is not feasible, the following compensating controls should be considered: restrict administrative account creation to a minimal set of trusted operators and enable audit logging on user creation events to detect anomalous usernames containing angle brackets or HTML entities; enforce the principle of least privilege so that only a narrow set of accounts can both create users and manage groups, reducing the opportunity for the attack chain to complete; and review existing usernames in the platform for HTML content as a one-time detection sweep. Note that the existing CSP already limits the exploitability of this issue, but it does not eliminate the open redirect and phishing risk, so patching remains the definitive fix.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2025-40902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy