CVE-2025-71385
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
02/07/2026
Last modified:
02/07/2026
Description
Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=...; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.
Impact
Base Score 4.0
5.10
Severity 4.0
MEDIUM
Base Score 3.x
6.10
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af
- https://github.com/netdata/netdata/pull/19919
- https://github.com/netdata/netdata/releases/tag/v2.3.1
- https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint



