PT-2026-20905 · Librenms · Librenms
Quirmz
·
Published
2026-02-18
·
Updated
2026-02-25
·
CVE-2026-26990
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LibreNMS versions 25.12.0 and below
Description
LibreNMS is a network monitoring tool. A Time-Based Blind SQL Injection exists in the
address-search.inc.php file via the address parameter. Supplying a crafted subnet prefix allows manipulation of SQL query logic and inference of database information through time-based conditional responses. This requires authentication and is exploitable by any authenticated user. The API endpoint involved is address-search.inc.php. The vulnerable parameter is address.Recommendations
Update to version 26.2.0 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librenms