CVE-2025-62365

Summary

Reflected-XSS in report_this function in librenms/includes/functions.php

Details

Recently, it was discovered that the report_this function had improper filtering (htmlentities function was incorrectly used in a href environment), which caused the project_issues parameter to trigger an XSS vulnerability.

The Vulnerable Sink: https://github.com/librenms/librenms/blob/master/includes/functions.php#L444

PoC

GET project_issues=javascript:alert(document.cookie)

Impact

XSS vulnerabilities allow attackers to execute malicious scripts in users' browsers, enabling unauthorized access to sensitive data, session hijacking, or malware distribution.

Suggestion

It is recommended to filter dangerous protocols, e.g. javascript:/file:.

Published: Oct 13, 2025
Updated: Oct 14, 2025
CVE: CVE-2025-62365
GHSA: GHSA-86rg-8hc8-v82p
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
librenms / librenms	-	25.7.0

Vulnerability Database

CVE-2025-62365

Summary

Details

PoC

Impact

Suggestion

Deep Security Visibility Without the Complexity