CVE-2025-65013 MEDIUM

CVE-2025-65013: LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`

Vendor Librenms
Product librenms
Weakness CWE-79 · XSS
Published November 18, 2025
Last update November 19, 2025

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
November 19, 2025 Record updated

Related vulnerabilities

04Related CVE