CVE-2025-23200

Name of the Vulnerable Software and Affected Versions Librenms versions up to 24.10.1

Description The issue is a stored XSS that affects the parameter: ajax form.php -> param: state. This allows remote attackers to inject malicious scripts, which execute immediately when a user views or interacts with the page displaying the data, potentially leading to unauthorized actions or data exposure.

Recommendations For Librenms versions up to 24.10.1, upgrade to release version 24.11.0 to address the issue. As a temporary workaround, consider restricting access to the ajax form.php endpoint or disabling the dynamic override config function until a patch is available. Avoid using the state parameter in the affected API endpoint until the issue is resolved.