Stored Cross-Site Scripting in OpenMNS Horizon by OpenNMS
CVE-2025-53121

6.9MEDIUM

Key Information:

Vendor: The Opennms Group
Status: Horizon; Meridian
Vendor: CVE Published:; 26 June 2025

🔔 Create The Opennms Group Vulnerability Alert

What is CVE-2025-53121?

Multiple stored XSS vulnerabilities were identified in OpenMNS Horizon versions 33.0.8 and earlier, alongside the Meridian releases prior to 2024.2.6. These vulnerabilities leverage unsanitized parameters, allowing attackers to store malicious scripts in the database. As a result, when these scripts are executed on web pages, they can inject unauthorized HTML or JavaScript, posing significant security risks. OpenNMS advises upgrading to Horizon versions 33.1.6 or newer, and Meridian versions 2024.2.6 or newer to mitigate these vulnerabilities. It is essential to follow installation guidelines, as both Horizon and Meridian are designed for private network segmentation and should not be exposed to the Internet. Acknowledgment is given to Fábio Tomé for bringing this issue to light.

Affected Version(s)

Horizon Windows 33.0.8 < 33.1.6, 33.1.7

Meridian Windows 2024.1.4 < 2024.2.6, 2024.2.7

Meridian Windows 2023.1.20 < 2024.2.6, 2024.2.7

References

https://github.com/OpenNMS/opennms

https://github.com/OpenNMS/opennms/pull/7708

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
Jun 26, 2025

Credit

Fábio Tomé