CVE-2025-65013

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 25.11.0

Description LibreNMS, a PHP/MySQL/SNMP based network monitoring tool, contains a reflected cross-site scripting (XSS) issue. The /maps/nodeimage endpoint is vulnerable because the Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization. This allows an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. The application includes the value of the Image Name parameter in the generated page without proper encoding, leading to the execution of malicious scripts when a victim visits the crafted URL. This can lead to session hijacking, performing actions on behalf of the victim, or exfiltrating sensitive information. The vulnerable API Endpoint is /maps/nodeimage and the vulnerable Parameter is Image Name.

Recommendations Versions prior to 25.11.0 should be updated to version 25.11.0 or later.