CVE-2025-40900 MEDIUM

CVE-2025-40900: Angular template injection in Reports in Guardian/CMC before 26.1.0

Vendor Nozomi Networks
Product Guardian
Weakness CWE-1336
Published May 19, 2026
Last update June 9, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Key dates

02Disclosure timeline

May 19, 2026 CVE published
June 9, 2026 Record updated

Related vulnerabilities

04Related CVE