CVE-2026-26991

Name of the Vulnerable Software and Affected Versions LibreNMS versions 26.1.1 and below

Description LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a Stored Cross-Site Scripting (XSS) issue. The device group name is not sanitized, allowing attackers with admin privileges to inject malicious scripts. The vulnerability occurs when adding a device group via an HTTP POST request to the '/device-groups' endpoint, where the attacker-controlled input is stored in the name parameter. This unsanitized input is then displayed, potentially executing the injected script when a user interacts with the device group entry, such as clicking the Delete button. The issue is present because the device's name is used in the Delete button functionality without proper sanitization for XSS-related characters or strings. A proof-of-concept demonstrates that an attacker can leak a user's cookies by crafting a malicious payload and sending an HTTP request to an attacker-controlled server.

Recommendations Update to version 26.2.0 or later.