CVE-2025-40900
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload.
Risk Assessment
An attacker can modify application data or disrupt application availability when the victim views or imports the malicious report template. Existing input validation and Content Security Policy configuration prevent full XSS exploitation and direct information disclosure.
Recommendation
It is recommended to review and strengthen input parameter validation and to monitor the activities of users with report privileges to detect potential attack attempts.
Original NVD description (English source)
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

