CVE-2025-40903 MEDIUM

CVE-2025-40903: HTML injection in Schedule Restore Archive in Guardian/CMC before 26.1.0

Vendor Nozomi Networks

Product Guardian

Weakness CWE-79 · XSS

Published May 19, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Key dates

02Disclosure timeline

May 19, 2026 CVE published

June 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40903

Related vulnerabilities

Identifiers

CVE CVE-2025-40903

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Nozomi Networks

Product Guardian

Affected < 26.1.0

Vendor Nozomi Networks

Product CMC

Affected < 26.1.0

CVE-2025-40903: HTML injection in Schedule Restore Archive in Guardian/CMC before 26.1.0

01Description

02Disclosure timeline

03References

04Related CVE