SQL Injection Vulnerability in LibreNMS Affects Network Monitoring Tools
CVE-2026-26988

9.3CRITICAL

Key Information:

Vendor

Librenms

Status
Librenms
Vendor
CVE Published:
20 February 2026

What is CVE-2026-26988?

LibreNMS, a PHP/MySQL/SNMP based network monitoring tool, suffers from a critical vulnerability in the ajax_table.php endpoint due to improper sanitization of user input during IPv6 address searches. The prefix of the address parameter is concatenated into the SQL query without validation, enabling an attacker to inject arbitrary SQL commands. This could result in unauthorized access to sensitive data or allow manipulation of the database itself. Users are advised to update to version 26.2.0 or later, where this issue has been addressed.

Affected Version(s)

librenms < 26.2.0

References

https://github.com/librenms/librenms/security/advisories/...
x_refsource_CONFIRM
https://github.com/librenms/librenms/pull/18777
x_refsource_MISC
https://github.com/librenms/librenms/commit/15429580baba0...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.