CVE-2025-65013 | THREATINT

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0.

PUBLISHED Reserved 2025-11-13 | Published 2025-11-18 | Updated 2025-11-19 | Assigner GitHub_M

MEDIUM: 6.2CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 25.11.0

affected

References

github.com/...brenms/security/advisories/GHSA-j8cq-7f6p-256x exploit

github.com/...brenms/security/advisories/GHSA-j8cq-7f6p-256x

cve.org (CVE-2025-65013)

nvd.nist.gov (CVE-2025-65013)

Download JSON