Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
Technical ContextAI
Nozomi Networks Guardian and CMC (Central Management Console) are OT/IoT network visibility and security monitoring platforms widely deployed in critical infrastructure environments. The vulnerability resides in the Schedule Restore Archive feature, where a specific input parameter is insufficiently sanitized before being persisted and later rendered in the browser. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause as a failure to neutralize user-controlled content prior to HTML rendering - a stored variant, meaning the payload persists server-side and executes for any subsequent viewer without further attacker interaction. CPE strings cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:* and cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:* confirm both product lines are affected across all versions prior to 26.1.0. Existing Content Security Policy headers prevent escalation to full script execution, confining the practical attack surface to HTML-level effects such as anchor tag injection, iframe embedding, and open redirect payloads.
RemediationAI
Upgrade Nozomi Networks Guardian and CMC to version 26.1.0 or later, which remediates the improper input validation in the Schedule Restore Archive functionality. The authoritative vendor advisory with upgrade guidance is available at https://security.nozominetworks.com/NN-2026:6-01. As an interim compensating control prior to patching, restrict administrative access to the minimum number of trusted personnel using role-based access controls, reducing the likelihood that a compromised admin account can inject content - note this does not eliminate the vulnerability but raises the bar for exploitation. Additionally, audit existing restore schedule configurations for unexpected HTML tags (anchor elements, iframes, meta refresh directives) to identify any prior injection attempts. Enabling alerting on administrative configuration changes in the schedule restore area can provide detection coverage while patches are applied.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209896
GHSA-9pfj-vxgx-63wq