PT-2026-20789 · Librenms · Librenms
Awoffsec
·
Published
2026-02-18
·
Updated
2026-02-20
·
CVE-2026-26992
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
LibreNMS versions 26.1.1 and below
Description
LibreNMS is a network monitoring tool. A stored cross-site scripting (XSS) issue exists due to insufficient sanitization of the port group name. An attacker with administrator privileges can inject malicious code through the
name parameter in an HTTP POST request to the /port-groups API endpoint. The unsanitized input is then displayed, potentially executing the injected script when the delete button is rendered. The vulnerable parameter is name. The issue occurs when creating a new port group.Recommendations
LibreNMS versions 26.1.1 and below should be updated to version 26.2.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librenms