CVE-2026-27016

Name of the Vulnerable Software and Affected Versions LibreNMS versions 24.10.0 through 26.1.1

Description LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, has an issue where the unit parameter in the Custom OID functionality is not properly sanitized. Specifically, it lacks strip tags() sanitization, unlike other fields such as name, oid, and datatype. This allows for the storage of unsanitized values in the database, which are then rendered without HTML escaping. This can lead to Stored Cross-Site Scripting (XSS). The issue is present in the includes/html/forms/customoid.inc.php file (lines 18-21) where the unit parameter is directly assigned from the $ POST array without sanitization, and in graphs/customoid.inc.php (lines 13-20) where the value is echoed without escaping. A proof-of-concept (PoC) demonstrates the vulnerability using various XSS payloads. Exploitation involves a user with device edit permissions setting a malicious unit value, which then executes for all users viewing device graphs. Potential consequences include session hijacking, admin account takeover, and malicious actions performed on behalf of victims.

Recommendations LibreNMS versions 24.10.0 through 26.1.1 should be updated to version 26.2.0 or later.