CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55296 – LibreNMS allows stored XSS in Alert Template name field
https://notcve.org/view.php?id=CVE-2025-55296
18 Aug 2025 — librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0. • https://github.com/librenms/librenms/security/advisories/GHSA-vxq6-8cwm-wj99 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54138 – LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE
https://notcve.org/view.php?id=CVE-2025-54138
22 Jul 2025 — LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern i... • https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47931 – LibreNMS stored Cross-site Scripting vulnerability in poller group name
https://notcve.org/view.php?id=CVE-2025-47931
17 May 2025 — LibreNMS is PHP/MySQL/SNMP based network monitoring software. LibreNMS v25.4.0 and prior suffers from a Stored Cross-Site Scripting (XSS) Vulnerability in the `group name` parameter of the `http://localhost/poller/groups` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. LibreNMS v25.5.0 contains a patch for the issue. • https://github.com/librenms/librenms/security/advisories/GHSA-hxw5-9cc5-cmw5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56144 – Stored XSS-LibreNMS-Display Name 2 in librenms
https://notcve.org/view.php?id=CVE-2024-56144
16 Jan 2025 — librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display. Librenms versions up to 24.11.0 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been add... • https://github.com/librenms/librenms/security/advisories/GHSA-2f4w-6mc7-4w78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23198 – Stored-XSS-LibreNMS-Display-Name in librenms
https://notcve.org/view.php?id=CVE-2025-23198
16 Jan 2025 — librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been add... • https://github.com/librenms/librenms/security/advisories/GHSA-pm8j-3v64-92cq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23199 – Stored XSS-LibreNMS-Ports in librenms
https://notcve.org/view.php?id=CVE-2025-23199
16 Jan 2025 — librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `/ajax_form.php` -> param: descr. Librenms version up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. • https://github.com/librenms/librenms/security/advisories/GHSA-27vf-3g4f-6jp7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23200 – Stored XSS-LibreNMS-Misc Section in librenms
https://notcve.org/view.php?id=CVE-2025-23200
16 Jan 2025 — librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `ajax_form.php` -> param: state. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. • https://github.com/librenms/librenms/security/advisories/GHSA-c66p-64fj-jmc2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23201 – Reflected Cross-site Scripting on error alert in librenms
https://notcve.org/view.php?id=CVE-2025-23201
16 Jan 2025 — librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to Cross-site Scripting (XSS) on the parameters:`/addhost` -> param: community. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. • https://github.com/librenms/librenms/security/advisories/GHSA-g84x-g96g-rcjc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52526 – LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php
https://notcve.org/view.php?id=CVE-2024-52526
15 Nov 2024 — LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. • https://github.com/librenms/librenms/commit/30e522c29bbb1f9b72951025e7049a26c7e1d76e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51497 – LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php
https://notcve.org/view.php?id=CVE-2024-51497
15 Nov 2024 — LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the "unit" parameter when creating a new OID. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. • https://github.com/librenms/librenms/commit/42b156e42a3811c23758772ce8c63d4d3eaba59b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •