GHSA-frc6-pwgr-c28w: LibreNMS has a Stored XSS vulnerability in its Alert Transport name field

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-62411

LibreNMS has a Stored XSS vulnerability in its Alert Transport name field

Moderate severity GitHub Reviewed Published Oct 16, 2025 in librenms/librenms • Updated Oct 16, 2025

Package

composer librenms/librenms (Composer)

Affected versions

< 25.10.0

Summary

LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser.

Details

• Injection point: Transport name field in /alert-transports.
• Execution point: Transports column in /alert-rules.
• Scope: Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users.

Steps to reproduce

1. Log in with an administrator account.

2. Navigate to:

   http://localhost:8000/alert-transports
   

3. Click Create alert transport and provide the following values:

   • Transport name:

     'onfocus=’alert(1)' autofocus=

   • Default Alert: ON

   • Email: test@gmail.com (or any valid email)

Save the transport.

4. Navigate to http://localhost:8000/alert-rules. A popup alert(1) is triggered, confirming that the payload executes.

Impact

Only accounts with the admin role who access the Alert Rules page (http://localhost:8000/alert-rules) are affected.

References

• GHSA-frc6-pwgr-c28w
• librenms/librenms@e1ead36
• https://github.com/librenms/librenms/releases/tag/25.10.0

Published to the GitHub Advisory Database

Oct 16, 2025

Last updated

Oct 16, 2025