Moderate severityNVD Advisory· Published Aug 18, 2025· Updated Aug 18, 2025
LibreNMS allows stored XSS in Alert Template name field
CVE-2025-55296
Description
librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 25.8.0 | 25.8.0 |
Affected products
1Patches
18ade3d827d31Fix alert template name xss (#18156)
2 files changed · +2 −4
includes/html/forms/parse-alert-template.inc.php+0 −2 modified@@ -26,7 +26,6 @@ 'name' => '', 'title' => '', 'title_rec' => '', - 'type' => '', 'rules' => $rules, ]; @@ -37,7 +36,6 @@ 'name' => $template['name'], 'title' => $template['title'], 'title_rec' => $template['title_rec'], - 'type' => $template['type'], ]; }
includes/html/print-alert-templates.php+2 −2 modified@@ -50,8 +50,8 @@ $old_template = strpos($template['template'], '{/if}') !== false ? '1' : ''; echo '<tr data-row-id="' . $template['id'] . '"> <td>' . $template['id'] . '</td> - <td>' . $template['name'] . '</td> - <td>' . json_encode($template['alert_rules']) . '</td> + <td>' . htmlspecialchars($template['name']) . '</td> + <td>' . htmlspecialchars(json_encode($template['alert_rules'])) . '</td> <td>' . $old_template . '</td> </tr>'; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vxq6-8cwm-wj99ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55296ghsaADVISORY
- github.com/librenms/librenms/commit/8ade3d827d317f5ac4b336617aafff865f825958ghsax_refsource_MISCWEB
- github.com/librenms/librenms/security/advisories/GHSA-vxq6-8cwm-wj99ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.