CVE-2025-40902
Stored HTML Injection in User Management System
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Nozomi Networks Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nozominetworks | cmc | to 26.1.0 (exc) |
| nozominetworks | guardian | to 26.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this Stored HTML Injection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a Stored HTML Injection found in the Users functionality of Guardian and CMC software versions prior to 26.1.0. It occurs because input parameters are not properly validated, allowing an authenticated administrative user to create a malicious user account with a username that contains HTML tags.
When another user tries to delete a group containing this malicious user, the injected HTML executes in their browser. This can enable phishing attacks or open redirect attacks. However, full Cross-Site Scripting (XSS) exploitation and direct information disclosure are prevented by existing input validation and Content Security Policy.
How can this vulnerability impact me? :
The vulnerability can impact you by enabling phishing and open redirect attacks through the execution of malicious HTML in the browser of a user who attempts to delete a group containing the affected user.
Although full XSS exploitation and direct information disclosure are mitigated, the vulnerability still poses a medium risk, potentially compromising user trust and security.
To reduce risk, it is recommended to upgrade to version 26.1.0 or later, restrict access to the web management interface via internal firewall rules, review and remove unnecessary administrative accounts, and inspect usernames for suspicious HTML content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting existing usernames in the system for suspicious HTML content, specifically usernames containing HTML tags that should not normally be present.
Since the vulnerability involves malicious usernames with embedded HTML, you can use commands or queries to list all usernames and search for HTML tags such as <, >, or script elements.
- For example, on systems where usernames are stored in a database, run a query to find usernames containing angle brackets or HTML tags.
- On Linux-based systems, if usernames are stored in files, use commands like: grep -E '<|>' /path/to/usernames_file
- Review administrative accounts and their usernames manually or via scripts to detect any unusual HTML content.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the Guardian and CMC software to version 26.1.0 or later, where the vulnerability is fixed.
- Restrict access to the web management interface by applying internal firewall rules to limit who can reach the interface.
- Review and remove any unnecessary administrative user accounts to reduce the risk of malicious account creation.
- Inspect existing usernames for suspicious HTML content and remove or correct any malicious usernames found.