CVE-2025-55296: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-55296) was discovered in LibreNMS versions 25.6.0 and earlier. The vulnerability exists in the Alert Template creation feature, specifically in the Template name field. The issue was discovered on August 18, 2025, and affects the community-based GPL-licensed network monitoring system (GitHub Advisory).

The vulnerability stems from improper sanitization of user input in the Template name field when creating new alert templates. When a user with admin privileges visits /templates and creates a new alert template, the application fails to properly sanitize the Template name field input. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows an authenticated user with admin role to inject malicious JavaScript code, which is then executed when the template is rendered. This can potentially lead to session hijacking, data theft, or other malicious actions targeting other admin users. The scope is limited to users with admin privileges who access the Alert Templates page (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 25.8.0. The fix involves properly sanitizing the template name output using htmlspecialchars() function (GitHub Commit). Users are advised to upgrade to version 25.8.0 or later to address this security issue.