SB2026042413 - Multiple vulnerabilities in LibreNMS
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-62412)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary script code.
The vulnerability exists due to improper neutralization of input during web page generation in the alert-rules functionality when handling alert rule creation or update requests. A remote privileged user can submit a crafted alert rule name to inject arbitrary script code.
The issue can be triggered by using XML character references that bypass sanitization and are later decoded when the alert rule list is rendered.
2) Cross-site scripting (CVE-ID: CVE-2025-62411)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser.
The vulnerability exists due to cross-site scripting in the Alert Transports management functionality when rendering a stored Transport name value on the Alert Rules page. A remote privileged user can create an alert transport with a specially crafted name to execute arbitrary JavaScript in an administrator's browser.
Only administrators can create Alert Transports, and the payload is triggered when the affected Alert Rules page is viewed.
Remediation
Install update from vendor's website.