CVE-2025-40895

MEDIUM 4.8

HTML injection in Sensor Map in CMC before 25.6.0

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's properties to inject HTML tags. If the Sensor Map functionality is enabled in the CMC, when a victim CMC user interacts with it, then the injected HTML may render in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

CWE	CWE-79
Vendor	nozomi networks
Product	cmc
Published	Mar 4, 2026
Last Updated	Mar 4, 2026

Stay Ahead of the Next One

Get instant alerts for nozomi networks cmc

Be the first to know when new medium vulnerabilities affecting nozomi networks cmc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Nozomi Networks / CMC

0 < 25.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.nozominetworks.com: https://security.nozominetworks.com/NN-2025:17-01

Credits

This issue was found by Stefano Libero of Nozomi Networks Product Security team during an internal investigation.