VDB
CVE-2025-40893
CVE-2025-40893
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
EPSS 0.04% · 13.6th percentile
Risk Scores
CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.04%
13.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Siemens | RUGGEDCOM APE1808 | 0 |
| Nozomi Networks | Guardian | 0, 0 |
| nozomi_networks | guardian | 0, 0 |
| nozominetworks | guardian | 0, 0 |
| nozomi_networks | cmc | 0, 0 |
| nozominetworks | cmc | 0, 0 |
| Nozomi Networks | CMC | 0, 0 |
Timeline
- Dec 18, 2025 CVE Published
- Dec 19, 2025 EPSS Score
- Dec 23, 2025 EPSS Score
- Dec 27, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 3, 2026 EPSS Score
- Jan 6, 2026 PoC Published
- Jan 7, 2026 EPSS Score
- Jan 11, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 23, 2026 EPSS Score