Medium severity4.4NVD Advisory· Published Mar 4, 2026· Updated Apr 14, 2026

CVE-2025-40894

Description

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter.

A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Affected products

Nozominetworks/Cmc
cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
Range: <25.6.0
Nozominetworks/Guardian
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
Range: <25.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.nozominetworks.com/NN-2025:16-01nvdVendor Advisory
cert-portal.siemens.com/productcert/html/ssa-827968.htmlnvd

News mentions

How Dangerous Is Anthropic’s Mythos AI?
Schneier on Security · May 14, 2026
Deepfake sextortion forces schools to remove student photos from websites
Malwarebytes Labs · May 14, 2026
Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?
The Hacker News · May 6, 2026
Medical data of 500,000 UK volunteers listed for sale on Alibaba
Malwarebytes Labs · Apr 24, 2026
Risky Business #825 -- Palo Alto Networks blames it on the boogie
Risky Business · Feb 18, 2026
Risky Business #824 -- Microsoft's Secure Future is looking a bit wobbly
Risky Business · Feb 11, 2026

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000