Arbitrary file upload in LibreNMS - CVE-2024-47528
Published: October 1, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.
The vulnerability exists due to unrestricted upload of file with dangerous type in the custom map background upload feature when uploading an SVG file as a custom map background. A remote user can upload a crafted SVG file containing script payloads to execute arbitrary script code in a victim's browser.
Only users with the admin role can upload the background file, and the issue affects admin users and users with the global read role who can access the uploaded file.