CVE-2025-40899

HIGH

Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0

Title source: cna

Description

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

References (2)

Core 2

Core References

https://security.nozominetworks.com/NN-2026:2-01

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-827968.html

Scores

CVSS v3 8.9

EPSS 0.0029

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

Nozomi Networks/CMC < 26.0.0

Nozomi Networks/Guardian < 26.0.0

Published Apr 15, 2026

Tracked Since Apr 15, 2026