Vendor

Netbox

3 briefs RSS

critical advisory

NetBox Vulnerability Allows Remote Code Execution

2 rules 1 TTP

A remote, authenticated attacker can exploit a vulnerability in NetBox to execute arbitrary program code.

NetBox code-execution web-application

2r 1t May 5, 2026

critical advisory

NetBox RCE via Jinja2 Template Injection (CVE-2026-29514)

2 rules 1 TTP 1 CVE

NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.

NetBox rce template-injection cve-2026-29514

2r 1t 1c May 4, 2026

high advisory

netbox-data-flows Stored XSS Vulnerability in ObjectAlias Names

2 rules 1 TTP

The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.

netbox-data-flows xss netbox data-flows stored-xss

2r 1t Jul 3, 2024