[HIGH] CVE-2025-40899 — CVSS 8.9 (April 15, 2026)

A HIGH-severity vulnerability identified as CVE-2025-40899 has been published on April 15, 2026 with a CVSS base score of 8.9. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2025-40899
Severity: HIGH
CVSS Score: 8.9
Published: April 15, 2026
Weakness (CWE): CWE-79

Technical Description

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

Potential Impact

If exploited, this high-severity vulnerability could allow an attacker to tamper with system integrity, cause a denial of service. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1

Related Security Advisories

• [HIGH] CVE-2025-10551 — CVSS 8.7 (March 31, 2026) — HIGH / CVSS 8.7
• [HIGH] CVE-2025-10553 — CVSS 8.7 (March 31, 2026) — HIGH / CVSS 8.7
• [HIGH] CVE-2026-24032 — CVSS 7.3 (April 14, 2026) — HIGH / CVSS 7.3