CVE-2025-40901

Name of the Vulnerable Software and Affected Versions The product name cannot be determined (affected versions not specified)

Description A stored HTML injection issue exists in the Credentials Manager functionality caused by improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious identity containing HTML tags. When a victim attempts to delete this identity, the HTML renders in the browser, which may facilitate phishing or open redirect attacks. Existing input validation and Content Security Policy (CSP)—a security layer that helps detect and mitigate certain types of attacks—prevent full cross-site scripting (XSS) and direct information disclosure.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.