CVE-2025-62411
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
Description
### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the `Transport name` field is stored and later rendered in the **Transports** column of the **Alert Rules** page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. ### Details * **Injection point:** `Transport name` field in `/alert-transports`. * **Execution point:** **Transports** column in `/alert-rules`. * **Scope:** Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users. ### Steps to reproduce 1. Log in with an administrator account. 2. Navigate to: ``` http://localhost:8000/alert-transports ``` 3. Click **Create alert transport** and provide the following values: * **Transport name:** ```html 'onfocus='alert(1)' autofocus= ``` * **Default Alert:** `ON` * **Email:** `[email protected]` (or any valid email) Save the transport. 4. Navigate to ```http://localhost:8000/alert-rules```. A popup `alert(1)` is triggered, confirming that the payload executes. <img width="1829" height="396" alt="image" src="https://github.com/user-attachments/assets/932ba17d-214d-4253-80b8-62539d1cfa28" /> ### Impact Only accounts with the admin role who access the **Alert Rules** page (`http://localhost:8000/alert-rules`) are affected.
How to fix CVE-2025-62411
To remediate CVE-2025-62411, upgrade the affected package to a fixed version below.
- —upgrade to 25.10.0 or later
Is CVE-2025-62411 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 25.10.0