CVE-2025-40891

Name of the Vulnerable Software and Affected Versions Time Machine (affected versions not specified)

Description A Stored HTML Injection issue exists in the Time Machine Snapshot Diff functionality because of inadequate validation of network traffic data. An attacker who does not need to be authenticated can send crafted network packets at specific times to inject HTML tags into asset attributes across two snapshots. To successfully exploit this, a user must utilize the Time Machine Snapshot Diff feature on the targeted snapshots and perform specific GUI actions, which will then render the injected HTML in their browser. This can lead to phishing and open redirect attacks. While full Cross-Site Scripting (XSS) exploitation is prevented by input validation and Content Security Policy, the injected HTML can still pose a risk. The complexity of exploitation is high due to the multiple conditions that must be met.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.