PatchSiren cyber security CVE debrief
CVE-2025-40904 Nozomi Networks CVE debrief
CVE-2025-40904 is a medium-severity stored HTML injection issue in Nozomi Networks Smart Polling. According to the supplied description and NVD record, an authenticated user with limited privileges can submit malicious remote strategies containing HTML tags through sync. When another user views the affected strategy, the injected HTML renders in the browser, creating phishing and possible open-redirect risk. The record also notes that full XSS exploitation and direct information disclosure are prevented by existing input validation and Content Security Policy controls. NVD maps the issue to Nozomi Networks CMC and Guardian versions before 26.1.0.
- Vendor
- Nozomi Networks
- Product
- Guardian
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Administrators and security teams running Nozomi Networks CMC or Guardian, especially environments that use Smart Polling or accept strategy sync content from multiple authenticated users. SOC and incident response teams should also care because the issue can be abused for phishing-like browser manipulation.
Technical summary
The vulnerability is a stored HTML injection caused by improper validation of an input parameter in Smart Polling. A low-privilege authenticated attacker can push remote strategy content containing HTML through the sync flow. When a victim views that content, the browser renders the injected HTML. The supplied record identifies CWE-79 and states that validation plus CSP reduce the likelihood of full script execution and direct data disclosure. NVD lists affected CPEs for Nozomi Networks CMC and Guardian with vulnerability coverage ending before 26.1.0.
Defensive priority
Medium priority. The issue requires authenticated access and user interaction, but it can still be used to mislead users or stage phishing and redirect abuse. Prioritize remediation if the affected products are exposed to broader internal user bases or untrusted authenticated accounts.
Recommended defensive actions
- Check whether Nozomi Networks CMC or Guardian deployments are on versions earlier than 26.1.0.
- Review which authenticated users can sync or submit remote strategies in Smart Polling and restrict that capability to trusted roles.
- Apply vendor remediation guidance and upgrade to a fixed release when available.
- Inspect strategy content and browser-rendered fields for unexpected HTML, phishing cues, or redirect behavior.
- Ensure data shown in Smart Polling is safely validated and encoded wherever custom integrations or local controls are in place.
Evidence notes
The debrief is based only on the supplied NVD record and the vendor advisory reference it cites. The source text explicitly describes stored HTML injection in Smart Polling, limited-privilege authenticated abuse, phishing/open-redirect risk, and mitigations from input validation plus CSP. NVD metadata provides the affected CPEs, version boundary before 26.1.0, CVSS 4.0 vector, and CWE-79 mapping. The vendor advisory URL is referenced in NVD, but its full text was not included in the corpus.
Official resources
-
CVE-2025-40904 CVE record
CVE.org
-
CVE-2025-40904 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the NVD record on 2026-05-19, with the provided source and modification timestamps matching that date. No KEV entry was listed in the supplied timeline.