CVE-2025-62365: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source PHP/MySQL/SNMP-based network monitoring system, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability in versions prior to 25.7.0. The vulnerability exists in the report_this function within librenms/includes/functions.php, where improper filtering using the htmlentities function in an href environment allowed the project_issues parameter to be exploited. The vulnerability was disclosed on October 13, 2025, and has been assigned CVE-2025-62365 (GitHub Advisory, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS 4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P. The vulnerable sink was identified in the report_this function, where the improper implementation of the htmlentities function in an href environment failed to properly sanitize the project_issues parameter (GitHub Advisory).

The XSS vulnerability allows attackers to execute malicious scripts in users' browsers, which could lead to unauthorized access to sensitive data, session hijacking, or potential distribution of malware (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 25.7.0. The recommended mitigation strategy includes filtering dangerous protocols such as javascript: and file:. Users are advised to upgrade to version 25.7.0 or later to address this security issue (GitHub Advisory).