CVE-2025-62412

Name of the Vulnerable Software and Affected Versions LibreNMS versions 25.8.0 through 25.10.0

Description LibreNMS contains a flaw in the Alerts > Alert Rules page where the alert rule name is not properly sanitized. This allows for the injection of HTML code, potentially leading to Cross-Site Scripting (XSS). The vulnerability exists due to insufficient sanitization of the name parameter when creating or updating alert rules via a POST request to the /ajax form.php endpoint. The sanitization attempt using strip tags() can be bypassed using XML character references, such as <script>alert(1)</script>. The injected script is then executed when the bootgrid() function decodes these references during table rendering.

Recommendations LibreNMS version 25.10.0 resolves this issue. LibreNMS versions 25.8.0 and 25.9.0 are affected and should be updated.