SB2026042413 - Multiple vulnerabilities in LibreNMS



SB2026042413 - Multiple vulnerabilities in LibreNMS

Published: April 24, 2026

Security Bulletin ID SB2026042413
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-62412)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary script code.

The vulnerability exists due to improper neutralization of input during web page generation in the alert-rules functionality when handling alert rule creation or update requests. A remote privileged user can submit a crafted alert rule name to inject arbitrary script code.

The issue can be triggered by using XML character references that bypass sanitization and are later decoded when the alert rule list is rendered.


2) Cross-site scripting (CVE-ID: CVE-2025-62411)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser.

The vulnerability exists due to cross-site scripting in the Alert Transports management functionality when rendering a stored Transport name value on the Alert Rules page. A remote privileged user can create an alert transport with a specially crafted name to execute arbitrary JavaScript in an administrator's browser.

Only administrators can create Alert Transports, and the payload is triggered when the affected Alert Rules page is viewed.


Remediation

Install update from vendor's website.