Nozominetworks

By the Year

In 2026 there have been 10 vulnerabilities in Nozominetworks with an average score of 6.2 out of ten. Last year, in 2025 Nozominetworks had 5 security vulnerabilities published. That is, 5 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.99

Recent Nozominetworks Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-40904	May 19, 2026	Nozomi Networks Smart Polling XSS via Unvalidated Input A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc
CVE-2025-40903	May 19, 2026	Nozomi Networks Stored HTML Injection via Admin Restore Schedule A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc
CVE-2025-40902	May 19, 2026	Stored HTML Injection in Users Feature (CVE-2025-40902) A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc
CVE-2025-40901	May 19, 2026	Nozomi Credential Manager Stored HTML Injection (CVE-2025-40901) A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc
CVE-2025-40900	May 19, 2026	Angular Template Injection in Nozomi Reports XSS An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc
CVE-2025-40899	Apr 15, 2026	Stored XSS via Custom Fields in Nozomi Platform Asset/Node UI A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.	Guardian Cmc
CVE-2025-40897	Apr 15, 2026	View-Only Privileges Bypass in Nozomi Threat Intelligence (CVE-2025-40897) An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability.	Guardian Cmc
CVE-2025-40896	Mar 04, 2026	Nozomi Arc Agent TLS Cert Validation Flaw Enabling MITM The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.	Arc
CVE-2025-40895	Mar 04, 2026	Nozomi CMC Stored XSS via Sensor Map (Guardians) A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian's properties to inject HTML tags. If the Sensor Map functionality is enabled in the CMC, when a victim CMC user interacts with it, then the injected HTML may render in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Cmc
CVE-2025-40894	Mar 04, 2026	Stored XSS in Nozomi Alerted Nodes Dashboard A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.	Guardian Cmc