๐Ÿ” CVE Alert

CVE-2025-71385

MEDIUM 6.1

Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint

CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.

CWE CWE-79
Vendor netdata
Product netdata
Published Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for netdata netdata

Be the first to know when new medium vulnerabilities affecting netdata netdata are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

netdata / netdata
0 < 2.3.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/netdata/netdata/releases/tag/v2.3.1 github.com: https://github.com/netdata/netdata/pull/19919 github.com: https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af vulncheck.com: https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint

Credits

George Chen