CMC Sensor Map allows malicious user to inject HTML code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.0

CMC Sensor Map allows malicious user to inject HTML code

CVE-2025-40895

Summary

A malicious administrator on a connected Guardian device can inject HTML code into the CMC's Sensor Map. This can trick users into divulging sensitive information or visiting fake websites. To fix this, ensure you're running the latest software and configure your Content Security Policy correctly.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
nozominetworks	cmc	<= 25.6.0	–

Original title

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with admi...

Original description

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties.

A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's properties to inject HTML tags. If the Sensor Map functionality is enabled in the CMC, when a victim CMC user interacts with it, then the injected HTML may render in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

nvd CVSS3.1 4.8

nvd CVSS4.0 2.0

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://security.nozominetworks.com/NN-2025:17-01 Vendor Advisory

Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026