EUVD-2025-209892
GHSA-36vw-4j29-fg6f
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) describes the root cause: user-controlled input is passed into Angular's template rendering engine without adequate sanitization, enabling Server-Side Template Injection (SSTI) in the browser context. Angular's template syntax - including expressions like {{constructor.constructor('...')()}} - can be leveraged to break out of sandboxed template evaluation in certain Angular versions or configurations. Affected products per CPE are cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:* and cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*, covering all Guardian and CMC releases prior to 26.1.0. Guardian and CMC are OT/ICS network monitoring platforms used in industrial and critical infrastructure environments, making integrity and availability impacts particularly relevant to operational continuity.
RemediationAI
The vendor-released patch is version 26.1.0 for both Guardian and CMC, which addresses the improper input validation in the Reports functionality. Operators should upgrade to Guardian 26.1.0 or CMC 26.1.0 or later following the guidance in the vendor advisory at https://security.nozominetworks.com/NN-2026:3-01. As a compensating control prior to patching, restrict report creation and import privileges to a minimal set of trusted administrative users, reducing the pool of accounts that could be used to introduce a malicious template. Additionally, enforce organizational controls around sharing or importing report templates from untrusted or external sources, as the social engineering path requires a victim to voluntarily import a crafted template. Note that the existing CSP and input validation already partially mitigate the worst-case impact (full XSS and direct data exfiltration), so the residual risk without patching is integrity and availability disruption rather than credential or data theft.
More from same product – last 7 days
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to
Share
External POC / Exploit Code
Leaving vuln.today