CVE-2025-62411: 
PHP vulnerability analysis and mitigation

LibreNMS, a community-based GPL-licensed network monitoring system, versions 25.8.0 and earlier contain a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-62411) in the Alert Transports management functionality. The vulnerability was discovered on October 16, 2025, and a fix was released in version 25.10.0. The issue affects the Transport name field in the Alert Transports feature, where improper input validation and output encoding can lead to arbitrary JavaScript execution (GitHub Advisory).

The vulnerability exists in the Alert Transports management functionality where the Transport name field value is stored and later rendered in the Transports column of the Alert Rules page without proper sanitization. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The injection point is located in the /alert-transports path, while the execution point is in the /alert-rules page (GitHub Advisory, NVD).

The impact of this vulnerability is limited to administrator accounts who have access to the Alert Rules page. When exploited, it allows arbitrary JavaScript execution in the administrator's browser, potentially leading to unauthorized actions or data theft within the admin's session (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 25.10.0. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds have been provided (GitHub Advisory).