Skip to main content

Netdata

4 CVEs product

Monthly

CVE-2025-71385 MEDIUM PATCH This Month

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

XSS Netdata
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2023-22497 CRITICAL POC Act Now

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Netdata
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2023-22496 CRITICAL POC THREAT Act Now

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netdata
NVD GitHub
CVSS 3.1
9.8
EPSS
36.2%
CVE-2019-9834 MEDIUM POC This Month

The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Netdata
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
5.1%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

XSS Netdata
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Netdata
NVD GitHub
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Netdata
NVD GitHub
EPSS 5% CVSS 6.1
MEDIUM POC This Month

The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Netdata
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy