Cross-site scripting in LibreNMS - CVE-2025-62411
Published: April 24, 2026
Vulnerability identifier: #VU127440
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62411
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser.
The vulnerability exists due to cross-site scripting in the Alert Transports management functionality when rendering a stored Transport name value on the Alert Rules page. A remote privileged user can create an alert transport with a specially crafted name to execute arbitrary JavaScript in an administrator's browser.
Only administrators can create Alert Transports, and the payload is triggered when the affected Alert Rules page is viewed.
How to mitigate CVE-2025-62411
Install security update from vendor's website.