Cross-site scripting in LibreNMS - CVE-2025-23199
Published: January 16, 2025 / Updated: April 24, 2026
Vulnerability identifier: #VU127448
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-23199
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to inject malicious scripts.
The vulnerability exists due to improper neutralization of input during web page generation in the /ajax_form.php endpoint and port description rendering logic when handling the descr parameter in update-ifalias requests and later displaying the stored value. A remote user can submit a specially crafted description value to inject malicious scripts.
User interaction is required when the stored data is viewed or interacted with, including accessing the ports tab or hovering over the modified port field.
How to mitigate CVE-2025-23199
Install security update from vendor's website.