CVE-2025-23201: Librenms has a reflected XSS on error alert
(updated
)
XSS on the parameters:/addhost -> param: community
of Librenms versions 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
Proof of Concept:
Navigate to the /addhost path.
Fill in all required fields.
In the Community field, enter the following payload: "><img src=a onerror="alert(1)">.Click to open external image
Submit the form to save changes.
5 The script will execute when the error alert “No reply with community + payload” appears.Click to open external image
Detect and mitigate CVE-2025-23201 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects
contain no disclosed vulnerabilities.
Learn more about Dependency Scanning →