SB2026042412 - Multiple vulnerabilities in LibreNMS
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2025-65093)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to SQL injection in the hostname parameter of the /ajax_output.php endpoint when handling discovery requests. A remote privileged user can send a specially crafted request to disclose sensitive information and modify data.
The issue is boolean-based blind SQL injection in the discovery functionality.
2) Cross-site scripting (CVE-ID: CVE-2025-65013)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /maps/nodeimage endpoint when handling the Image Name parameter in a crafted URL. A remote privileged user can craft a malicious URL and trick a victim into visiting it to execute arbitrary JavaScript in the victim's browser.
User interaction is required, and the issue is triggered when the victim visits the crafted link.
3) Weak password requirements (CVE-ID: CVE-2025-65014)
CWE-ID: CWE-521 - Weak Password Requirements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to weak password requirements in user creation / password definition when creating new user accounts. A remote attacker can perform brute-force or credential stuffing attacks against accounts created with weak passwords to disclose sensitive information.
Exploitation depends on an administrator having created an account with an extremely weak and predictable password.
Remediation
Install update from vendor's website.
References
- https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9
- https://github.com/advisories/GHSA-6pmj-xjxp-p8g9
- https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x
- https://github.com/advisories/GHSA-j8cq-7f6p-256x
- https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g
- https://github.com/advisories/GHSA-5mrf-j8v6-f45g