CVE-2025-40903
Description
A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored HTML injection in Nozomi Networks Guardian/CMC Schedule Restore Archive allows admin-level phishing via injected HTML tags.
Vulnerability
A Stored HTML Injection vulnerability exists in the Schedule Restore Archive functionality of Nozomi Networks Guardian and CMC products prior to version 26.1.0. The flaw arises from improper validation of an input parameter used when defining a restore schedule. An authenticated user with administrative privileges can inject arbitrary HTML tags into the schedule name or description [1].
Exploitation
An attacker must have administrative access to the web management interface. The attacker creates or modifies a restore schedule, inserting malicious HTML tags (e.g., `` elements pointing to an attacker-controlled site). When any other user views the affected schedule in the management interface, the injected HTML is rendered in their browser [1].
Impact
The injected HTML can be used for phishing attacks (displaying fake login forms or prompts) and open redirect attacks (convincing users to click a link that redirects outside the application). Full cross-site scripting (XSS) and direct information disclosure are not possible due to existing input validation and Content Security Policy (CSP) measures [1].
Mitigation
Upgrade to version 26.1.0 or later, which contains the fix. If immediate upgrade is not possible, restrict network access to the web management interface via internal firewall rules and review accounts with administrative privileges to remove unnecessary ones [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- security.nozominetworks.com/NN-2026:6-01nvdVendor Advisory
News mentions
0No linked articles in our index yet.