GHSA-v7qw-hx66-4w9x: Stored Cross-Site Scripting (XSS) in NetBox Data Flows Plugin
Vulnerability ID: GHSA-V7QW-HX66-4W9X
CVSS Score: 8.7
Published: 2026-05-07
A stored Cross-Site Scripting (XSS) vulnerability exists in the netbox-data-flows plugin for NetBox, affecting versions prior to 1.5.1. Authenticated attackers with permissions to modify ObjectAlias records can inject arbitrary HTML and JavaScript, which executes in the context of other users viewing DataFlow tables.
TL;DR
The netbox-data-flows plugin improperly escapes ObjectAlias names before rendering them in DataFlow tables. Authenticated users can inject malicious scripts into these fields, leading to stored XSS that can compromise high-privileged administrators.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79 (Cross-site Scripting)
- Attack Vector: Network
- CVSS v3.1: 8.7 (High)
- Impact: Session Hijacking, Privilege Escalation
- Exploit Status: Proof of Concept Available
- Authentication Requirement: Required (Low Privileges)
Affected Systems
- NetBox implementations utilizing the netbox-data-flows plugin < 1.5.1
-
netbox-data-flows: < 1.5.1 (Fixed in:
1.5.1)
Exploit Details
-
GitHub Advisory: Proof of Concept methodology detailing the injection of
into an ObjectAlias name.
Mitigation Strategies
- Upgrade to netbox-data-flows version 1.5.1 or higher.
- Implement Content Security Policy (CSP) headers to restrict inline script execution.
- Audit existing ObjectAlias records for anomalous HTML or JavaScript payloads.
Remediation Steps:
- Access the NetBox server operating environment.
- Activate the Python virtual environment used by NetBox.
- Execute
pip install --upgrade netbox-data-flows>=1.5.1. - Restart the NetBox WSGI/ASGI service (e.g.,
systemctl restart netbox netbox-rq). - Verify the application logs for successful plugin initialization.
References
Read the full report for GHSA-V7QW-HX66-4W9X on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)