CVE-2025-40899
Received Received - Intake

Stored XSS in Assets and Nodes Allows Privilege Abuse

Vulnerability report for CVE-2025-40899, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Nozomi Networks Inc.

Description

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-07-06
AI Q&A
2026-04-15
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nozominetworks guardian to 26.0.0 (exc)
nozominetworks cmc to 26.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-40899 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Assets and Nodes functionality of certain products. It occurs because of improper validation of an input parameter, allowing an authenticated user with privileges to manage custom fields to inject malicious JavaScript code into a custom field.

When another user views the affected Assets or Nodes pages, this malicious script executes in their browser, enabling the attacker to perform unauthorized actions such as modifying application data, disrupting application availability, and accessing sensitive information.

Compliance Impact

The Stored Cross-Site Scripting (XSS) vulnerability allows attackers to execute unauthorized actions such as modifying application data, disrupting availability, and accessing sensitive information. This exposure of sensitive information and potential data manipulation can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and maintaining system integrity and availability.

Specifically, unauthorized access to sensitive information due to this vulnerability could lead to breaches of confidentiality requirements under these regulations. Additionally, disruption of application availability and data integrity may violate operational and security controls mandated by such standards.

Mitigation measures such as restricting access, auditing user accounts, and upgrading to fixed versions are critical to maintaining compliance.

Impact Analysis

This vulnerability can have several serious impacts including unauthorized modification of application data, disruption of application availability, and unauthorized access to sensitive information.

  • Modification of application data by attackers acting as the victim.
  • Disruption of the availability of the application.
  • Access to limited sensitive information that should otherwise be protected.
Detection Guidance

This vulnerability can be detected by auditing and reviewing the custom fields defined in the Assets and Nodes functionality for any malicious JavaScript payloads injected by authenticated users with custom fields privileges.

Since the vulnerability involves stored cross-site scripting in web application input parameters, detection involves inspecting the content of custom fields for suspicious scripts.

No specific commands are provided in the available resources, but general approaches include querying the database or using web interface tools to list and review custom fields for suspicious JavaScript code.

Mitigation Strategies
  • Restrict access to the web management interface using internal firewall features to limit exposure.
  • Audit and remove unnecessary user accounts, especially those with privileges to manage custom fields.
  • Review existing custom fields for malicious content and remove or sanitize any suspicious entries.
  • Upgrade the affected products (Guardian and CMC) to version 26.0.0 or later, where the vulnerability has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart