LibreNMS, an auto‑discovering PHP/MySQL networking tool, contains a stored cross‑site scripting flaw, classified as CWE‑79, within its Alert Rules management interface. An administrator who can edit alert rules may embed arbitrary script content that persists in the database and executes in the browsers of any user who subsequently views the Alert Rules page. The attack therefore allows privilege‑elevated insiders or compromised admin accounts to run code within the context of other legitimate users, potentially enabling session hijacking, navigation hijack, or defacement of the web interface. The vulnerability does not grant direct arbitrary code execution on the host, but it does compromise user accounts and confidentiality of visible data.

All LibreNMS installations running version 25.12.0 or earlier. The Vulnerability Authority lists the affected vendor as librenms and the product as LibreNMS. The issue has been addressed in release 26.2.0, so any deployment of 26.2.0 or later is considered mitigated.

The vulnerability scores a moderate CVSS of 4.3 and a very low EPSS (<1%). It is not catalogued in the CISA Known Exploited Vulnerabilities list. Exploitation requires administrative credentials to inject the payload. Once injected, the script runs in the browser context of any user who accesses the Alert Rules page, yielding local‑browser attacks but not remote code execution on the server. Due to the low exploitation probability and moderate severity, the risk level is moderate but remediation is recommended before any potential exploitation is detected.