Nozomi Guardian and CMC Diagram and Graph Stored HTML Injection Vulnerability
A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An authenticated user with administrative privileges can inject malicious HTML tags into N2OS configuration data through multiple input vectors. When a victim views the affected data in the Diagram tab and Graph view, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Quick answer
Nozomi Networks Guardian and CMC should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Nozomi Networks Guardian and CMC up to 26.1.x
Fixed versions
- 26.2.0
How to fix it
Nozomi Guardian and CMC up to 26.1.x is affected by CVE-2026-31981. administrator-supplied N2OS configuration data can render stored HTML in Diagram and Graph views. Upgrade to 26.2.0, sanitize stored N2OS configuration data, and review privileged users who can edit visualization input.
- Inventory affected Nozomi Guardian and CMC deployments and record appliance, sensor, and collector versions.
- Upgrade affected systems from up to 26.1.x to 26.2.0 or later.
- Apply the vendor mitigation if an immediate upgrade cannot be completed.
- Restrict management, synchronization, SAML, and collector interfaces to trusted networks only.
- Review users, roles, sync tokens, certificates, and recent configuration changes for suspicious activity.
- Back up known-good configuration before remediation and after the patched state is confirmed.
- Monitor appliance health, audit logs, and authentication events for repeated exploit attempts.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Nozomi Guardian and CMC is running 26.2.0 or later where applicable.
- Retest the affected workflow in staging or a maintenance window and confirm the vulnerable behavior is blocked.
- Review audit logs after remediation for failed attempts against the affected endpoint or feature.
- Confirm legitimate synchronization, SAML, SSH key, or visualization workflows still work as expected.
- Run a Fixnx scan and confirm public management interfaces are not exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-31981?
Nozomi Networks Guardian and CMC versions listed as affected should be reviewed: Nozomi Networks Guardian and CMC up to 26.1.x.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
