Netdata
Monthly
Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.