CVE-2025-40891 LOW

CVE-2025-40891: HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0

Vendor Nozomi Networks
Product Guardian
Weakness CWE-79 · XSS
Published December 18, 2025
Last update June 9, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
June 9, 2026 Record updated