Angular template injection in Reports in Guardian/CMC before 26.1.0

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Description

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Basic Information

ID CVE-2025-40900

Source Nozomi

Published May 19, 2026 at 13:17

Modified May 19, 2026 at 14:09

Affected Product

Vendor Nozomi Networks

Product Guardian

Affected Versions Nozomi Networks Guardian 0
Nozomi Networks CMC 0

CWE Classification

CWE-1336

References

security.nozominetworks.com /NN-2026:3-01

{
    "lastseen": "",
    "description": "An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.",
    "published": "2026-05-19T13:17:21.852Z",
    "modified": "2026-05-19T14:09:56.116Z",
    "type": "cve",
    "title": "Angular template injection in Reports in Guardian/CMC before 26.1.0",
    "source": "Nozomi",
    "references": "https://security.nozominetworks.com/NN-2026:3-01",
    "id": "CVE-2025-40900",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "Nozomi Networks Guardian 0\nNozomi Networks CMC 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Guardian",
    "version": "0",
    "vendor": "Nozomi Networks",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Angular template injection in Reports in Guardian/CMC before 26.1.0_CVE-2025-40900