VYPR
← All advisories
Medium severity4.6NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2025-40900

CVE-2025-40900

Description

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Angular template injection in Reports of Guardian/CMC before 26.1.0 allows authenticated users to execute crafted templates, impacting data integrity and availability.

Vulnerability

Angular template injection vulnerability in the Reports functionality of Guardian and CMC versions before 26.1.0 due to improper validation of an input parameter. [1]

Exploitation

An authenticated user with report privileges can create a malicious report with an Angular template payload, or a victim can be socially engineered to import a malicious report template. [1]

Impact

When the victim views or imports the report, the Angular template executes in their browser context, allowing modification of application data or disruption of availability. Full XSS and direct information disclosure are prevented by existing input validation and Content Security Policy. [1]

Mitigation

Upgrade to version 26.1.0 or later. Workarounds include using internal firewall features to limit access to the web management interface and reviewing/removing unnecessary accounts. [1]

References
  1. NN-2026:3-01 - Angular template injection in Reports in Guardian/CMC before 26.1.0 - CVE-2025-40900

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.