NetBox Reflected Cross-Site Scripting Vulnerability in Error Handling Logic

Vulnerability

A reflected cross-site scripting vulnerability has been identified in NetBox versions 2.11.0 through 3.7.x. The issue arises in the ProtectedError handling logic, where object names are incorporated into HTML error messages without adequate escaping. This flaw allows user-controlled content to be displayed in the web interface when a deletion attempt fails due to protected relationships. Consequently, it could enable the execution of arbitrary client-side code within the context of a privileged user.

Impact

Exploitation of this vulnerability could lead to reflected cross-site scripting, allowing for the execution of malicious scripts in the context of the user.

Added: Feb 3, 2026, 6:35 PM

Updated: Feb 3, 2026, 6:35 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.7

exploitability

4.6

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.7

exploitability

4.6

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NetBox Reflected Cross-Site Scripting Vulnerability in Error Handling Logic

Vulnerability

Impact

Affected Products

NetBox

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating