2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-47931

GHSA ID

GHSA-hxw5-9cc5-cmw5

EPSS Score

0.0004%

CWE

CWE-79

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47931

CVE-2025-47931: LibreNMS stored Cross-site Scripting vulnerability in poller group name

LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/groups' form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

---------------------------------POC-----------------------------

Before Setting: Enable 'distributed_poller' in http://localhost/settings/poller/distributed

Attacker creates a new poller group and injects the payload in the 'group name' parameter

payload: <script>alert('XSS')</script>

Victim navigates to the 'http://localhost/addhost' to add a new host
The payload is executed

code sink: https://github.com/librenms/librenms/blob/25.4.0/includes/html/pages/addhost.inc.php#L284

(GitHub Advisory)

2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-47931

GHSA ID

GHSA-hxw5-9cc5-cmw5

EPSS Score

0.0004%

CWE

CWE-79

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	< 25.5.0	25.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored XSS where the 'group name' from poller groups is rendered unsanitized on the 'addhost' page. The provided commit 009d79ff9126ed5e01a2f0e619bd6fb252c3f0d5 clearly shows the fix in includes/html/pages/addhost.inc.php. The change involves adding htmlentities() to $group['group_name'] before it's echoed within an HTML <option> tag. This indicates that prior to the patch, the group_name was output directly, leading to the XSS. The code responsible for this output is directly within the addhost.inc.php script, not encapsulated in a specific user-defined function within that file that is visible from the patch. Therefore, the script file itself is considered the vulnerable component in terms of runtime execution leading to the vulnerability. The POC also confirms that the payload is executed when the victim navigates to http://localhost/addhost which is handled by addhost.inc.php

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Li*r*NMS v**.*.* su***rs *rom Stor** *ross-Sit* S*riptin* (XSS) Vuln*r**ility in t** '*roup n*m*' p*r*m*t*r o* t** '*ttp://lo**l*ost/poll*r/*roups' *orm. T*is vuln*r**ility *llows *tt**k*rs to inj**t m*li*ious s*ripts into w** p***s vi*w** *y ot*

Reasoning

T** vuln*r**ility is * stor** XSS w**r* t** '*roup n*m*' *rom poll*r *roups is r*n**r** uns*nitiz** on t** '****ost' p***. T** provi*** *ommit **************************************** *l**rly s*ows t** *ix in `in*lu**s/*tml/p***s/****ost.in*.p*p`. T*

2.1

Basic Information

Concerned about an active attack path?

CVE-2025-47931: LibreNMS stored Cross-site Scripting vulnerability in poller group name

LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/groups' form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

---------------------------------POC-----------------------------

2.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI