CVE-2025-69848

Name of the Vulnerable Software and Affected Versions NetBox versions 2.11.0 through 3.7.x

Description A reflected cross-site scripting (XSS) issue exists in the ProtectedError handling logic. Object names are included in HTML error messages without proper escaping, allowing user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships. This could enable the execution of arbitrary client-side code in the context of a privileged user.

Recommendations Versions 2.11.0 through 3.7.x are vulnerable and should be updated.