Cyber Resilience

CVE-2025-40899

High

Published: 15 April 2026

Published
15 April 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-40899 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Nozominetworks (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-40899 is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the Assets and Nodes functionality of Nozomi Networks software, stemming from improper validation of an input parameter. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts with changed scope.

An authenticated attacker with custom fields privileges can create a malicious custom field containing a JavaScript payload. When a victim views the Assets or Nodes pages, the stored XSS executes in their browser context, allowing the attacker to impersonate the victim and perform unauthorized actions, such as modifying application data, disrupting application availability, and accessing limited sensitive information.

Mitigation details are available in the vendor advisory NN-2026:2-01 at https://security.nozominetworks.com/NN-2026:2-01.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the…

more

victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS directly enables arbitrary JavaScript execution in victim browser (T1059.007) and facilitates session impersonation/hijacking via payload (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24838Shared CWE-79
CVE-2026-35576Shared CWE-79
CVE-2025-22598Shared CWE-79
CVE-2025-23531Shared CWE-79
CVE-2025-0555Shared CWE-79
CVE-2026-34566Shared CWE-79
CVE-2026-48839Shared CWE-79
CVE-2026-24744Shared CWE-79
CVE-2025-27279Shared CWE-79
CVE-2025-23553Shared CWE-79

Affected Assets

Nozominetworks
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the root cause by requiring validation of input parameters in custom fields to block injection of malicious JavaScript payloads.

prevent

Prevents execution of stored XSS payloads by filtering or encoding information output when rendering Assets and Nodes pages in victims' browsers.

preventrecover

Requires timely identification, reporting, and remediation of the stored XSS flaw, including applying vendor patches from advisory NN-2026:2-01.

References