Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.1

Alerted Nodes Dashboard allows malicious users to inject HTML code

CVE-2025-40894
Summary

A malicious user with special permissions can compromise the security of the Alerted Nodes Dashboard by injecting HTML code into the system. This could allow them to trick other users into revealing sensitive information or visiting malicious websites. To fix this, update the software to the latest version.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
nozominetworks cmc <= 25.6.0
nozominetworks guardian <= 25.6.0
Original title
A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the requir...
Original description
A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter.



A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
nvd CVSS3.1 5.4
nvd CVSS4.0 2.1
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026