GHSA-RXF6-WJH4-JFJ6 Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...

Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...

PT-2026-42859

Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...

Stored Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of the alert rule name in the Alert Rule API, which allows an attacker to inject malicious HTML code when creating or updating alert rules via the API...

EUVD-2025-204770

LibreNMS Alert Rule API Cross-Site Scripting Vulnerability...

GHSA-C89F-8G7G-59WJ LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoudaltookhy/IQCfcnOE5ykQSb6Fm-HFI872AZzeIJxU-3aDk0jheXNE?e=zkN76d ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability -- CVSS ----------------------------------------- 4.3:...

LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoudaltookhy/IQCfcnOE5ykQSb6Fm-HFI872AZzeIJxU-3aDk0jheXNE?e=zkN76d ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability -- CVSS ----------------------------------------- 4.3:...

CVE-2025-68614

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject...

LibreNMS 跨站脚本漏洞

LibreNMS is an open source network monitoring system based on PHP and MySQL from the LibreNMS community. The system features customizable alerts, auto-discovery of network environments, and automatic updates. A cross-site scripting vulnerability exists in LibreNMS versions prior to 25.12.0, which...

LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

This vulnerability allows remote attackers to execute arbitrary script on affected installations of LibreNMS. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the name parameter provided to the rules endpoint. The issue results from the lac...

CVE-2025-68614 LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject...

CVE-2025-68614 LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject...

CVE-2025-68614

Summary: CVE-2025-68614 affects LibreNMS prior to 25.12.0, where the Alert Rule API is vulnerable to stored cross-site scripting. The root cause is insufficient sanitization of the alert rule name when creating/updating rules via the API, allowing injected HTML that can be rendered in the Alerts ...

CVE-2025-68614 LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject...

PT-2025-52726

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 25.12.0 Description LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a stored cross-site scripting issue in the Alert Rule API. The alert rule name is not properly sanitized,...

CVE-2025-62412

LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts Alert Rules page is not properly sanitized, and can be used to inject HTML code. This vulnerability is fixed in 25.10.0...

LibreNMS 安全漏洞

LibreNMS is an open source network monitoring system based on PHP and MySQL from the LibreNMS community. The system features customizable alerts, auto-discovery of network environments, and automatic updates. A security vulnerability exists in LibreNMS versions prior to 25.10.0, which stems from...

EUVD-2024-48948

Malicious code in bioql PyPI...

BIT-GRAFANA-2024-8118 Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...

LibreNMS has a Persistent XSS from Insecure Input Sanitization Affects Multiple Endpoints

Summary The application fail to sanitising inputs properly and rendering the code from user input to browser which allow an attacker to execute malicious javascript code. Details User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input i...