High severity8.9NVD Advisory· Published Dec 18, 2025· Updated Apr 14, 2026

CVE-2025-40892

Description

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

Affected products

Nozominetworks/Cmc
cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
Range: <25.5.0
Nozominetworks/Guardian
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Range: <25.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.nozominetworks.com/NN-2025:13-01nvdMitigationVendor Advisory
cert-portal.siemens.com/productcert/html/ssa-827968.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.579
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000