Main Vulnerability Database Vulnerabilities #VU127439

Cross-site scripting in LibreNMS - CVE-2025-62412

Published: April 24, 2026

Vulnerability identifier: #VU127439

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-62412

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LibreNMS Project

Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to inject arbitrary script code.

The vulnerability exists due to improper neutralization of input during web page generation in the alert-rules functionality when handling alert rule creation or update requests. A remote privileged user can submit a crafted alert rule name to inject arbitrary script code.

The issue can be triggered by using XML character references that bypass sanitization and are later decoded when the alert rule list is rendered.

How to mitigate CVE-2025-62412

Install security update from vendor's website.

Sources

https://github.com/librenms/librenms/security/advisories/GHSA-6g2v-66ch-6xmh

Cross-site scripting in LibreNMS - CVE-2025-62412

Detailed vulnerability description

How to mitigate CVE-2025-62412

Sources

Please verify you're human