Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 02 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint. | |
| Title | Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint | |
| First Time appeared |
Netdata
Netdata netdata |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Netdata
Netdata netdata |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-02T19:37:42.359Z
Reserved: 2026-07-01T15:52:12.626Z
Link: CVE-2025-71385
No data.
No data.
No data.
OpenCVE Enrichment
No data.