Cross-site scripting in LibreNMS - CVE-2025-65013
Published: April 24, 2026
Vulnerability identifier: #VU127437
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-65013
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the /maps/nodeimage endpoint when handling the Image Name parameter in a crafted URL. A remote privileged user can craft a malicious URL and trick a victim into visiting it to execute arbitrary JavaScript in the victim's browser.
User interaction is required, and the issue is triggered when the victim visits the crafted link.
How to mitigate CVE-2025-65013
Install security update from vendor's website.