Stored XSS in Alert Transport name field in LibreNMS

5.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Description

LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. This vulnerability is fixed in 25.10.0.

Basic Information

ID CVE-2025-62411

Source GitHub_M

Published Oct 16, 2025 at 17:50

Modified Oct 16, 2025 at 17:51

Affected Product

Vendor librenms

Product librenms

Version < 25.10.0

Affected Versions librenms librenms < 25.10.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "LibreNMS  is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin\u2019s browser. This vulnerability is fixed in 25.10.0.",
    "published": "2025-10-16T17:50:28.184Z",
    "modified": "2025-10-16T17:51:26.804Z",
    "type": "cve",
    "title": "Stored XSS in Alert Transport name field in LibreNMS",
    "source": "GitHub_M",
    "references": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w\nhttps://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450",
    "id": "CVE-2025-62411",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "librenms librenms < 25.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "librenms",
    "version": "< 25.10.0",
    "vendor": "librenms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Stored XSS in Alert Transport name field in LibreNMS_CVE-2025-62411