Description
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
Published: 2026-04-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an attacker to execute code in the victim's browser and perform unauthorized actions such as data modification, disruption, and limited data disclosure
Action: Immediate Patch
AI Analysis

Impact

A stored XSS flaw exists in the Assets and Nodes functionality of Nozomi Networks CMC and Guardian. The flaw arises from improper validation of a custom field input. An authenticated user with privileges to create custom fields can embed JavaScript payloads that are persisted. When a victim visits the Assets or Nodes pages, the malicious script runs within the victim’s browser context, enabling the attacker to perform actions on behalf of the user, including modifying application data, disrupting availability, and accessing limited sensitive information. This weakness is classified as CWE‑79.

Affected Systems

Versions of Nozomi Networks CMC and Guardian earlier than 26.0.0 are affected. The vulnerability is present in the Assets and Nodes modules of these products.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating high severity. No EPSS score is available and the flaw is not listed in CISA’s KEV catalog, suggesting it has not yet been actively exploited in the wild. Exploitation requires an authenticated user with custom field creation rights to inject malicious content, after which any user who accesses the vulnerable pages triggers the payload. The attack vector is the browser, and the impact encompasses confidentiality, integrity, and availability of the application.

Generated by OpenCVE AI on April 15, 2026 at 10:52 UTC.

Remediation

Vendor Solution

Upgrade to v26.0.0 or later.

Vendor Workaround

Use internal firewall features to limit access to the web management interface.

OpenCVE Recommended Actions

  • Upgrade to version 26.0.0 or later.
  • Use internal firewall features to limit access to the web management interface.
  • Review all accounts with access to the interface and delete unnecessary ones.
  • Audit existing custom fields to ensure no malicious scripts remain.

Generated by OpenCVE AI on April 15, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
Title Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0
First Time appeared Nozomi Networks
Nozomi Networks cmc
Nozomi Networks guardian
Weaknesses CWE-79
CPEs cpe:2.3:a:nozomi_networks:cmc:*:*:*:*:*:*:*:*
cpe:2.3:a:nozomi_networks:guardian:*:*:*:*:*:*:*:*
Vendors & Products Nozomi Networks
Nozomi Networks cmc
Nozomi Networks guardian
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Nozomi Networks Cmc Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-04-15T13:20:23.839Z

Reserved: 2025-04-16T09:04:35.923Z

Link: CVE-2025-40899

cve-icon Vulnrichment

Updated: 2026-04-15T13:20:18.993Z

cve-icon NVD

Status : Received

Published: 2026-04-15T09:16:30.837

Modified: 2026-04-15T09:16:30.837

Link: CVE-2025-40899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses