Search for packages
| purl | pkg:composer/librenms/librenms@1.33.01 |
| Next non-vulnerable version | 1.44.0 |
| Latest non-vulnerable version | 201609.0.0 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18g9-2u9c-nbez
Aliases: CVE-2025-62411 GHSA-frc6-pwgr-c28w |
LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. This vulnerability is fixed in 25.10.0. |
Affected by 6 other vulnerabilities. |
|
VCID-1bhu-qkzp-tqas
Aliases: CVE-2022-0589 GHSA-gj26-g5qf-jrh7 |
Cross-site Scripting in librenms |
Affected by 65 other vulnerabilities. |
|
VCID-2dax-4ghn-mffp
Aliases: CVE-2020-15877 GHSA-3c33-3465-fhx2 |
Affected by 69 other vulnerabilities. |
|
|
VCID-2zej-x5n6-cqbf
Aliases: CVE-2024-51494 GHSA-7663-37rg-c377 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when editing a device's port settings. This vulnerability can lead to the execution of malicious code when the "Port Settings" page is visited, potentially compromising the user's session and allowing unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-3faw-j7vn-hfaz
Aliases: CVE-2024-49764 GHSA-rmr4-x6c9-jc68 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-3qv3-74t6-6fhs
Aliases: CVE-2020-35700 GHSA-h59f-p56g-g75v |
Affected by 68 other vulnerabilities. |
|
|
VCID-4syp-nckb-9fbw
Aliases: CVE-2024-51495 GHSA-p66q-ppwr-q5j8 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "overwrite_ip" parameter when editing a device. This vulnerability results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-5999-8pth-d7ba
Aliases: CVE-2024-51496 GHSA-28p7-f6h6-3jh3 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Reflected Cross-Site Scripting (XSS) vulnerability in the "metric" parameter of the "/wireless" and "/health" endpoints allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code when a user accesses the page with a malicious "metric" parameter, potentially compromising their session and allowing unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-5ehc-2e2v-wkgb
Aliases: CVE-2024-47525 GHSA-j2j9-7pr6-xqwv |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. This vulnerability is fixed in 24.9.0. |
Affected by 31 other vulnerabilities. |
|
VCID-5qc1-g4x7-n3fp
Aliases: CVE-2019-10668 GHSA-277v-gwfr-hmpj |
Missing Authentication for Critical Function in LibreNMS |
Affected by 74 other vulnerabilities. |
|
VCID-61va-qddt-rbf2
Aliases: CVE-2018-20678 GHSA-4fwh-r866-pvh9 |
Affected by 76 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-656h-mks2-6yaw
Aliases: CVE-2022-3525 GHSA-cv9g-h8mm-xx5h |
Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-8333-p936-4yen
Aliases: CVE-2023-4978 GHSA-qjpw-rg56-jh8v |
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8xsz-9mtq-w7ct
Aliases: CVE-2022-0588 GHSA-254q-rqmw-vx45 |
Missing Authorization in librenms/librenms |
Affected by 60 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8ytn-qf7f-yfbf
Aliases: CVE-2023-5591 GHSA-mr6h-7x2m-rgmq |
SQL Injection in GitHub repository librenms/librenms prior to 23.10.0. |
Affected by 41 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-91gw-qj5p-y3ed
Aliases: CVE-2022-4068 GHSA-f3hw-3h74-wr98 |
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account. |
Affected by 49 other vulnerabilities. |
|
VCID-92gm-nsf8-d7dt
Aliases: CVE-2021-31274 GHSA-2r2w-jrh2-p4gr |
Affected by 67 other vulnerabilities. |
|
|
VCID-98wd-pvht-nqfu
Aliases: CVE-2022-0772 GHSA-vhm6-gw82-6f8j |
Cross site scripting in LibreNMS |
Affected by 59 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9zy9-ue2n-87b4
Aliases: CVE-2022-4069 GHSA-p55m-g4m3-qmrp |
Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-ae82-tsr6-c3cw
Aliases: CVE-2025-65013 GHSA-j8cq-7f6p-256x |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0. |
Affected by 3 other vulnerabilities. |
|
VCID-bgm3-4nkb-c3bs
Aliases: CVE-2022-29712 GHSA-23f2-vgr6-fwv7 |
Command injection in librenms |
Affected by 58 other vulnerabilities. |
|
VCID-byb9-nnem-5bdu
Aliases: CVE-2024-50355 GHSA-4m5r-w2rq-q54q |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input in the device Display Name, if java script code is inside the name of the device Display Name, its can be trigger from different sources. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-c5qg-fsdx-w7eg
Aliases: CVE-2024-51092 GHSA-x645-6pf9-xwxw |
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory(). |
Affected by 18 other vulnerabilities. |
|
VCID-cewc-v19g-yqf6
Aliases: CVE-2019-10665 GHSA-q5rg-wg7h-73m5 |
Affected by 76 other vulnerabilities. |
|
|
VCID-cmqg-e3da-r7cf
Aliases: CVE-2026-26987 GHSA-gqx7-99jw-6fpr |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0. |
Affected by 0 other vulnerabilities. |
|
VCID-cntm-etf9-kkbv
Aliases: CVE-2025-55296 GHSA-vxq6-8cwm-wj99 |
librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dgdu-jnbz-2qbe
Aliases: CVE-2024-32479 GHSA-72m9-7c8x-pmmw |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the `Service` template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this vulnerability. |
Affected by 35 other vulnerabilities. |
|
VCID-dku9-fked-fueu
Aliases: CVE-2023-46745 GHSA-rq42-58qf-v3qx |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions the login method has no rate limit. An attacker may be able to leverage this vulnerability to gain access to user accounts. This issue has been addressed in version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 38 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dmsz-ct8c-zuf9
Aliases: CVE-2024-49758 GHSA-c86q-rj37-8f85 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can add Notes to a device, the application did not properly sanitize the user input, when the ExamplePlugin enable, if java script code is inside the device's Notes, its will be trigger. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-ek4h-m8w9-t7bp
Aliases: CVE-2023-4981 GHSA-5jjm-qp48-qp86 |
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-eq4t-1cwx-zfh5
Aliases: CVE-2024-50351 GHSA-v7w9-63xh-6r3w |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Reflected Cross-Site Scripting (XSS) vulnerability in the "section" parameter of the "logs" tab of a device allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code when a user accesses the page with a malicious "section" parameter, potentially compromising their session and enabling unauthorized actions. The issue arises from a lack of sanitization in the "report_this()" function. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-eyv3-xp88-t7en
Aliases: CVE-2024-49754 GHSA-gfwr-xqmj-j27v |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result in the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-g8zs-nkxb-hyc4
Aliases: CVE-2025-68614 GHSA-c89f-8g7g-59wj |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. |
Affected by 4 other vulnerabilities. |
|
VCID-gnfs-vu51-cbda
Aliases: CVE-2024-47526 GHSA-gcgp-q2jq-fw52 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh. |
Affected by 31 other vulnerabilities. |
|
VCID-gppp-bfnm-7ba6
Aliases: CVE-2024-47523 GHSA-7f84-28qh-9486 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Transports" feature allows authenticated users to inject arbitrary JavaScript through the "Details" section (which contains multiple fields depending on which transport is selected at that moment). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. This vulnerability is fixed in 24.9.0. |
Affected by 31 other vulnerabilities. |
|
VCID-gzvy-qsmz-a7ca
Aliases: CVE-2023-5060 GHSA-2q8c-gqf4-mg3v |
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1. |
Affected by 42 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hhhz-1bd6-3bfy
Aliases: CVE-2022-3516 GHSA-r4gq-hv2r-mrf5 |
Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-j176-ekvg-3ufv
Aliases: CVE-2020-15873 GHSA-g5r6-vrmx-9gwj |
Affected by 69 other vulnerabilities. |
|
|
VCID-ja3k-pqg6-cuct
Aliases: CVE-2021-43324 GHSA-46rx-6jg9-4fh8 |
Affected by 69 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-k3tp-p2ay-5bf3
Aliases: CVE-2022-0575 GHSA-hxmr-5gv9-6p8v |
Cross-site Scripting in librenms |
Affected by 60 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k3xn-xjwb-a3en
Aliases: CVE-2025-62365 GHSA-86rg-8hc8-v82p |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to 25.7.0, there is a reflected-XSS in `report_this` function in `librenms/includes/functions.php`. The `report_this` function had improper filtering (`htmlentities` function was incorrectly use in a href environment), which caused the `project_issues` parameter to trigger an XSS vulnerability. This vulnerability is fixed in 25.7.0. |
Affected by 9 other vulnerabilities. |
|
VCID-k5z7-q82d-tue6
Aliases: CVE-2026-26988 GHSA-h3rv-q4rq-pqcv |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0. |
Affected by 0 other vulnerabilities. |
|
VCID-kj8w-8fft-m3em
Aliases: CVE-2019-12465 GHSA-878x-85hc-gc4g |
SQL Injection in LibreNMS |
Affected by 71 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kmqh-r237-a7gu
Aliases: CVE-2025-54138 GHSA-gq96-8w38-hhj2 |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0. |
Affected by 9 other vulnerabilities. |
|
VCID-kujx-pwg2-9kfx
Aliases: CVE-2023-48294 GHSA-fpq5-4vwm-78x4 |
Affected by 38 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-mj4h-397a-nqbz
Aliases: CVE-2024-47524 GHSA-fc38-2254-48g7 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can create a Device Groups, the application did not properly sanitize the user input in the Device Groups name, when user see the detail of the Device Group, if java script code is inside the name of the Device Groups, its will be trigger. This vulnerability is fixed in 24.9.0. |
Affected by 31 other vulnerabilities. |
|
VCID-nexf-h4db-vkh5
Aliases: CVE-2025-23201 GHSA-g84x-g96g-rcjc |
librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to Cross-site Scripting (XSS) on the parameters:`/addhost` -> param: community. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 12 other vulnerabilities. |
|
VCID-p7fj-s4ra-rqfe
Aliases: CVE-2022-3562 GHSA-5h77-4245-pg5p |
Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-py7t-waeg-cfh8
Aliases: CVE-2024-32461 GHSA-cwx6-cx7x-4q34 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A SQL injection vulnerability in POST /search/search=packages in LibreNMS prior to version 24.4.0 allows a user with global read privileges to execute SQL commands via the package parameter. With this vulnerability, an attacker can exploit a SQL injection time based vulnerability to extract all data from the database, such as administrator credentials. Version 24.4.0 contains a patch for the vulnerability. |
Affected by 35 other vulnerabilities. |
|
VCID-qc4w-r2jh-a7hx
Aliases: CVE-2019-10671 GHSA-g9xh-3w5g-229r |
SQL Injection in LibreNMS |
Affected by 74 other vulnerabilities. |
|
VCID-r2tp-4cm4-b3b1
Aliases: CVE-2024-32480 GHSA-jh57-j3vq-h438 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Versions prior to 24.4.0 are vulnerable to SQL injection. The `order` parameter is obtained from `$request`. After performing a string check, the value is directly incorporated into an SQL statement and concatenated, resulting in a SQL injection vulnerability. An attacker may extract a whole database this way. Version 24.4.0 fixes the issue. |
Affected by 35 other vulnerabilities. |
|
VCID-r7fv-dr67-j7ht
Aliases: CVE-2023-4979 GHSA-jp3c-g46v-jg2c |
Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rfwn-r567-qben
Aliases: CVE-2025-65093 GHSA-6pmj-xjxp-p8g9 |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0. |
Affected by 3 other vulnerabilities. |
|
VCID-s58c-1ss7-jbh1
Aliases: CVE-2022-3231 GHSA-3jh2-wmv7-m932 |
LibreNMS stored Cross-site Scripting via Schedule Maintenance `Title` parameter |
Affected by 57 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sm1m-7ca9-vfb4
Aliases: CVE-2022-0587 GHSA-ppfm-rj6p-38q6 |
Improper Authorization in librenms |
Affected by 60 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sp7z-xykf-e7ce
Aliases: CVE-2019-10667 GHSA-f4hh-xxqh-wgpq |
Exposure of Sensitive Information to an Unauthorized Actor in LibreNMS |
Affected by 74 other vulnerabilities. |
|
VCID-srqm-zv16-eubv
Aliases: CVE-2023-4977 GHSA-57m2-mpc7-gwgx |
Code Injection in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-st22-w6hp-tka9
Aliases: CVE-2025-62412 GHSA-6g2v-66ch-6xmh |
LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts > Alert Rules page is not properly sanitized, and can be used to inject HTML code. This vulnerability is fixed in 25.10.0. |
Affected by 6 other vulnerabilities. |
|
VCID-tdcf-uak3-gfec
Aliases: CVE-2024-49759 GHSA-888j-pjqh-fx58 |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Manage User Access" page allows authenticated users to inject arbitrary JavaScript through the "bill_name" parameter when creating a new bill. This vulnerability can lead to the execution of malicious code when visiting the "Bill Access" dropdown in the user's "Manage Access" page, potentially compromising user sessions and allowing unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-tj46-drf4-q7hy
Aliases: CVE-2022-4070 GHSA-x93j-3hh3-6x23 |
Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-tq42-r5ny-nbfu
Aliases: CVE-2024-50352 GHSA-qr8f-5qqg-j3wg |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" section of the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "name" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-tube-fx1x-cka6
Aliases: CVE-2023-4347 GHSA-m6pf-cm3f-7876 |
Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0. |
Affected by 48 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u5dh-nt5q-4kh2
Aliases: CVE-2024-51497 GHSA-gv4m-f6fx-859x |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the "unit" parameter when creating a new OID. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-upyd-sq4n-hycq
Aliases: CVE-2022-4067 GHSA-qch4-jmf8-xvp7 |
Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-uwnc-rpz9-7be2
Aliases: CVE-2025-65014 GHSA-5mrf-j8v6-f45g |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0. |
Affected by 3 other vulnerabilities. |
|
VCID-veyg-29sb-x7cs
Aliases: CVE-2020-36947 GHSA-qp2j-v5jg-hg68 |
LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. |
Affected by 78 other vulnerabilities. |
|
VCID-vhry-3hqm-bbaz
Aliases: CVE-2022-0580 GHSA-33wf-4crm-2322 |
Improper Access Control in librenms |
Affected by 60 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vqdk-y6g3-gugt
Aliases: CVE-2025-47931 GHSA-hxw5-9cc5-cmw5 |
LibreNMS is PHP/MySQL/SNMP based network monitoring software. LibreNMS v25.4.0 and prior suffers from a Stored Cross-Site Scripting (XSS) Vulnerability in the `group name` parameter of the `http://localhost/poller/groups` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. LibreNMS v25.5.0 contains a patch for the issue. |
Affected by 11 other vulnerabilities. |
|
VCID-w5bg-g2j5-7qh2
Aliases: CVE-2023-4980 GHSA-qxrq-376q-p39h |
Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wkpv-dkbj-6ybd
Aliases: CVE-2025-23199 GHSA-27vf-3g4f-6jp7 |
librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `/ajax_form.php` -> param: descr. Librenms version up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 12 other vulnerabilities. |
|
VCID-wq47-3ncm-7kfn
Aliases: CVE-2023-4982 GHSA-m6jj-fgmh-3p8r |
Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 23.9.0. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-x61k-4513-hqew
Aliases: CVE-2024-52526 GHSA-8fh4-942r-jf2g |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-xf97-1u9d-mbhx
Aliases: CVE-2022-3561 GHSA-264w-gw9g-fhgj |
Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0. |
Affected by 49 other vulnerabilities. |
|
VCID-y1p7-5z78-xkc2
Aliases: CVE-2019-12464 GHSA-r336-jxfr-4c3c |
Path Traversal in LibreNMS |
Affected by 71 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y22w-mxrw-sbh1
Aliases: CVE-2022-0576 GHSA-rp34-85x3-3764 |
Cross-site Scripting in librenms |
Affected by 65 other vulnerabilities. Affected by 60 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ykxk-6j99-hqd2
Aliases: CVE-2024-47528 GHSA-x8gm-j36p-fppf |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability is fixed in 24.9.0. |
Affected by 31 other vulnerabilities. |
|
VCID-zbz2-hwqc-6ye4
Aliases: CVE-2018-18478 GHSA-9m82-f3wx-p625 |
Affected by 79 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-zhac-9svg-4fb3
Aliases: CVE-2024-50350 GHSA-xh4g-c9p6-5jxg |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "name" parameter when creating a new Port Group. This vulnerability results in the execution of malicious code when the "Port Settings" page is visited after the affected Port Group is added to a device, potentially compromising user sessions and allowing unauthorized actions. This vulnerability is fixed in 24.10.0. |
Affected by 18 other vulnerabilities. |
|
VCID-zwya-b48n-tfcg
Aliases: CVE-2024-47527 GHSA-rwwc-2v8q-gc9v |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Device Dependencies" feature allows authenticated users to inject arbitrary JavaScript through the device name ("hostname" parameter). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. This vulnerability is fixed in 24.9.0. |
Affected by 31 other vulnerabilities. |
|
VCID-zz5d-y7ak-zbdm
Aliases: CVE-2023-48295 GHSA-8phr-637g-pxrg |
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. Affected versions are subject to a cross site scripting (XSS) vulnerability in the device group popups. This issue has been addressed in commit `faf66035ea` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 38 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||