CVE-2025-62412: 
PHP vulnerability analysis and mitigation

LibreNMS, a community-based GPL-licensed network monitoring system, was found to contain a Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-62412. The vulnerability was discovered in version 25.8.0 and fixed in version 25.10.0. The issue exists in the alert rule name field within the Alerts > Alert Rules page, where insufficient input sanitization allows for HTML code injection (GitHub Advisory, NVD).

The vulnerability stems from improper sanitization of the alert rule name parameter in the alert-rules functionality. When creating or updating an alert rule via ajaxform.php, the name parameter is processed by includes/html/forms/alert-rules.inc.php. Although striptags() is used for sanitization, it can be bypassed using XML character references. The vulnerability is triggered when a victim browses to the Alerts > Alert Rule page, where the bootgrid() function rewrites table cells, causing XML character references to be decoded and executed as HTML tags (GitHub Advisory). The vulnerability has a CVSS v3.1 base score of 3.8 (Low) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows an attacker to inject and execute arbitrary HTML code in the context of other users' browsers who access the alert rules page. This could lead to the exposure of sensitive information and potential manipulation of the web interface (GitHub Advisory).

The vulnerability has been patched in LibreNMS version 25.10.0. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory, NVD).

The vulnerability was discovered by Simon Humbert of Trend Research, Trend Micro, and was reported through the Zero Day Initiative (ZDI) program. The issue was assigned tracking number ZDI-CAN-28105 (GitHub Advisory).