#VU127448 Cross-site scripting in LibreNMS - CVE-2025-23199
Published: January 16, 2025 / Updated: April 24, 2026
Vulnerability identifier: #VU127448
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-23199
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
LibreNMS
LibreNMS
Software vendor:
LibreNMS Project
LibreNMS Project
Description
The vulnerability allows a remote user to inject malicious scripts.
The vulnerability exists due to improper neutralization of input during web page generation in the /ajax_form.php endpoint and port description rendering logic when handling the descr parameter in update-ifalias requests and later displaying the stored value. A remote user can submit a specially crafted description value to inject malicious scripts.
User interaction is required when the stored data is viewed or interacted with, including accessing the ports tab or hovering over the modified port field.
Remediation
Install security update from vendor's website.