Description
Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts.
Published: 2026-03-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting (XSS) flaw in NetBox 4.3.5. Input entered into the "comment" field on object forms is not properly sanitized and is rendered as arbitrary HTML in the web UI. This allows an attacker who can inject content into the comment field to display malicious scripts or foreign content to other users, potentially enabling phishing or UI redress attacks. The weakness is identified by CWE-79 (Improper Neutralization of Input During Web Page Generation).

Affected Systems

The affected product is NetBox version 4.3.5, as identified by the CPE string cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*.*. No additional vendor or product information is provided.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity. EPSS indicates a low exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit or edit comments in NetBox, implying authenticator access to object forms. Once a comment is injected, the stored payload is rendered for all users who view the form, permitting a broad attack surface but limited to the web UI context. This risk is moderate and primarily concerns user-based attacks rather than system compromise.

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NetBox to the latest patched release that removes the XSS vulnerability.
  • If an upgrade is not immediately possible, apply input sanitization to the comment field to escape HTML tags or strip disallowed content.
  • Restrict comment editing privileges to trusted users or roles until a patch is available.
  • Monitor the application for unexpected scripts or unexpected DOM modifications that may indicate exploitation.

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Comment Field in NetBox 4.3.5

Fri, 20 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Netbox
Netbox netbox
Vendors & Products Netbox
Netbox netbox

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts.
References

Subscriptions

Netbox Netbox
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-16T19:10:44.673Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-57543

cve-icon Vulnrichment

Updated: 2026-03-16T19:10:37.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T16:16:13.030

Modified: 2026-03-20T13:56:20.397

Link: CVE-2025-57543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:04Z

Weaknesses