PatchSiren cyber security CVE debrief
CVE-2025-40900 Nozomi Networks CVE debrief
CVE-2025-40900 is a medium-severity Angular template injection vulnerability affecting Nozomi Networks CMC and Guardian versions before 26.1.0. The issue is in the Reports functionality and stems from improper validation of an input parameter. An authenticated user with report privileges can create a malicious report, or a victim can be tricked into importing a malicious report template. When the report is viewed or imported, the Angular template runs in the victim’s browser context and can be used to modify application data or disrupt availability. The vendor and NVD note that existing input validation and Content Security Policy reduce the likelihood of full XSS exploitation and direct information disclosure.
- Vendor
- Nozomi Networks
- Product
- Guardian
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Administrators and security teams running Nozomi Networks CMC or Guardian, especially deployments that allow report creation, report import, or broad report-viewing access. Organizations should pay particular attention to environments where privileged users can share report templates or where users may be socially engineered into importing files.
Technical summary
NVD and the vendor advisory describe CVE-2025-40900 as CWE-1336 Angular template injection in Reports. The vulnerable CPEs are Nozomi Networks CMC and Guardian, with affected versions ending before 26.1.0. The reported attack path requires low privileges and user interaction: a user with report privileges can define a malicious template, or a victim can import one. Execution occurs in the browser context of the viewer/importer, with impact limited by validation and CSP; NVD’s CVSS v4.0 vector reflects network reachability, low attack complexity, low privileges, and user interaction, with integrity and availability impact noted.
Defensive priority
Medium. This is not marked as an actively exploited or KEV-listed issue, but it affects browser-side code execution paths in reporting workflows and can lead to application data manipulation or service disruption. Prioritize remediation if report import/sharing is enabled or if untrusted users can create reports.
Recommended defensive actions
- Upgrade Nozomi Networks CMC and Guardian to version 26.1.0 or later, based on the vulnerable version criteria published by NVD.
- Restrict who can create, share, and import report templates; apply least privilege to report-related roles.
- Treat imported report templates as untrusted content and review any workflows that allow users to exchange report files.
- Monitor for unusual report activity, especially newly created templates or imports from unexpected users.
- Review the vendor advisory for any product-specific mitigation steps or deployment guidance.
- Validate that Content Security Policy and input validation remain enabled and aligned with the vendor’s recommended configuration.
Evidence notes
This debrief is based only on the supplied NVD record and the linked Nozomi Networks vendor advisory. NVD lists the CVE as published on 2026-05-19 and modified on 2026-05-20, with vuln status 'Analyzed.' The NVD record identifies CWE-1336 and vulnerable CPE criteria for Nozomi Networks CMC and Guardian before 26.1.0, and includes the vendor advisory reference NN-2026:3-01.
Official resources
-
CVE-2025-40900 CVE record
CVE.org
-
CVE-2025-40900 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE record on 2026-05-19 and updated on 2026-05-20. This debrief reflects the CVE publication timeline provided in the source corpus, not the debrief generation date.