Moderate severityNVD Advisory· Published Nov 18, 2025· Updated Nov 19, 2025
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
CVE-2025-65093
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 25.11.0 | 25.11.0 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-6pmj-xjxp-p8g9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65093ghsaADVISORY
- github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.