Cross-site scripting in LibreNMS - CVE-2024-47526
Published: October 1, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the affected user's browser session.
The vulnerability exists due to improper neutralization of input during web page generation in the Alert Templates feature in librenms/includes/html/modal/alert_template.inc.php when creating an alert template and rendering the newly added template name in the table. A remote privileged user can submit a crafted template name to execute arbitrary JavaScript in the affected user's browser session.
User interaction is required, and the injected script executes immediately upon submission but does not persist after a page refresh.