Netbox Community
Products
2- 37 CVEs
- 4 CVEs
Recent CVEs
40| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-29514 | Hig | 0.50 | 8.8 | 0.01 | May 4, 2026 | NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python… | ||
| CVE-2025-69848 | 0.00 | — | 0.00 | Feb 3, 2026 | NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages… | |||
| CVE-2024-56915 | 0.00 | — | 0.00 | Jun 26, 2025 | Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to Cross Site Scripting (XSS) via the RSS feed widget. | |||
| CVE-2024-56916 | 0.00 | — | 0.00 | Jun 24, 2025 | In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field.… | |||
| CVE-2024-56918 | 0.00 | — | 0.00 | Jun 24, 2025 | In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form. | |||
| CVE-2024-56917 | 0.00 | — | 0.00 | Jun 24, 2025 | Netbox Community 4.1.7 is vulnerable to Cross Site Scripting (XSS) via the maintenance banner` in maintenance mode. | |||
| CVE-2024-40727 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/add/. | |||
| CVE-2024-40732 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/add/. | |||
| CVE-2024-38972 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/add/. | |||
| CVE-2024-40740 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/{id}/edit/. | |||
| CVE-2024-40742 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/add. | |||
| CVE-2024-40739 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/add. | |||
| CVE-2024-40726 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/{id}/edit/. | |||
| CVE-2024-40728 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/{id}/edit/. | |||
| CVE-2024-40737 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/add. | |||
| CVE-2024-40738 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/{id}/edit/. | |||
| CVE-2024-40731 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/{id}/edit/. | |||
| CVE-2024-40730 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/{id}/edit/. | |||
| CVE-2024-40741 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/{id}/edit/. | |||
| CVE-2024-40734 | 0.00 | — | 0.00 | Jul 9, 2024 | A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/front-ports/add/. |
- risk 0.50cvss 8.8epss 0.01
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python…
- CVE-2025-69848Feb 3, 2026risk 0.00cvss —epss 0.00
NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages…
- CVE-2024-56915Jun 26, 2025risk 0.00cvss —epss 0.00
Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to Cross Site Scripting (XSS) via the RSS feed widget.
- CVE-2024-56916Jun 24, 2025risk 0.00cvss —epss 0.00
In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field.…
- CVE-2024-56918Jun 24, 2025risk 0.00cvss —epss 0.00
In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.
- CVE-2024-56917Jun 24, 2025risk 0.00cvss —epss 0.00
Netbox Community 4.1.7 is vulnerable to Cross Site Scripting (XSS) via the maintenance banner` in maintenance mode.
- CVE-2024-40727Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/add/.
- CVE-2024-40732Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/add/.
- CVE-2024-38972Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/add/.
- CVE-2024-40740Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/{id}/edit/.
- CVE-2024-40742Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/add.
- CVE-2024-40739Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/add.
- CVE-2024-40726Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/{id}/edit/.
- CVE-2024-40728Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/{id}/edit/.
- CVE-2024-40737Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/add.
- CVE-2024-40738Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/{id}/edit/.
- CVE-2024-40731Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/{id}/edit/.
- CVE-2024-40730Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/{id}/edit/.
- CVE-2024-40741Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/{id}/edit/.
- CVE-2024-40734Jul 9, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/front-ports/add/.