Moderate severityNVD Advisory· Published Nov 18, 2025· Updated Nov 19, 2025
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
CVE-2025-65013
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 25.11.0 | 25.11.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-j8cq-7f6p-256xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65013ghsaADVISORY
- github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.