VDB

CVE-2025-40893

CVE-2025-40893 PUBLISHED CVSS 5.300000190734863 MEDIUM

A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

EPSS 0.04% · 13.6th percentile

Risk Scores

CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.04%
13.6th percentile

Affected Products

VendorProductVersions
SiemensRUGGEDCOM APE18080
Nozomi NetworksGuardian0, 0
nozomi_networksguardian0, 0
nozominetworksguardian0, 0
nozomi_networkscmc0, 0
nozominetworkscmc0, 0
Nozomi NetworksCMC0, 0

Timeline

  • Dec 18, 2025 CVE Published
  • Dec 19, 2025 EPSS Score
  • Dec 23, 2025 EPSS Score
  • Dec 27, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
  • Jan 3, 2026 EPSS Score
  • Jan 6, 2026 PoC Published
  • Jan 7, 2026 EPSS Score
  • Jan 11, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 23, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›