CVE-2025-40904

Name of the Vulnerable Software and Affected Versions The product name cannot be determined (affected versions not specified)

Description A stored HTML injection issue exists in the Smart Polling functionality caused by improper validation of an input parameter. An authenticated user with limited privileges can inject malicious HTML tags through the sync process. When a victim views the affected remote strategy, the HTML renders in the browser, which may facilitate phishing or open redirect attacks. Full Cross-Site Scripting (XSS)—a technique where malicious scripts are injected into trusted websites—and direct information disclosure are mitigated by existing input validation and Content Security Policy (CSP) configurations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.