CVE-2025-40902

Name of the Vulnerable Software and Affected Versions The product name cannot be determined (affected versions not specified)

Description A stored HTML injection issue exists in the Users functionality caused by improper validation of an input parameter. An authenticated user with administrative privileges can create a user account with a username containing HTML tags. When another user attempts to delete a group that includes this malicious user, the injected HTML is rendered in the browser. This can be used to facilitate phishing or open redirect attacks. Full Cross-Site Scripting (XSS)—a technique where malicious scripts are injected into trusted websites—and direct information disclosure are mitigated by current input validation and Content Security Policy (CSP) configurations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.