Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS subtype), rooted in insufficient server-side or output-encoding validation of the username input field in the Users management functionality. The application stores the unsanitized value and later reflects it into a deletion confirmation or group management page without HTML-encoding, allowing injected tags to be parsed and rendered by the victim's browser. Affected products are identified by CPE strings cpe:2.3:a:nozomi_networks:guardian and cpe:2.3:a:nozomi_networks:cmc, both covering all versions below 26.1.0. Guardian is Nozomi Networks' OT/IoT network visibility and security sensor platform; CMC (Central Management Console) is its centralized management layer. The platform's existing Content Security Policy configuration provides a meaningful partial defense, blocking execution of injected scripts and preventing direct information disclosure, but does not neutralize HTML element injection or anchor-tag-based open redirects.
RemediationAI
The vendor-released patch is Guardian 26.1.0 and CMC 26.1.0, which resolve the improper input validation in the username field. Organizations should upgrade to these versions or later as the primary remediation, referencing the vendor advisory at https://security.nozominetworks.com/NN-2026:5-01 for upgrade guidance. If immediate patching is not feasible, the following compensating controls should be considered: restrict administrative account creation to a minimal set of trusted operators and enable audit logging on user creation events to detect anomalous usernames containing angle brackets or HTML entities; enforce the principle of least privilege so that only a narrow set of accounts can both create users and manage groups, reducing the opportunity for the attack chain to complete; and review existing usernames in the platform for HTML content as a one-time detection sweep. Note that the existing CSP already limits the exploitability of this issue, but it does not eliminate the open redirect and phishing risk, so patching remains the definitive fix.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209893
GHSA-qhx5-6j68-67q4