Time-Based Blind SQL Injection in LibreNMS Network Monitoring Tool
CVE-2026-26990

8.8HIGH

Key Information:

Vendor

Librenms

Status
Librenms
Vendor
CVE Published:
20 February 2026

What is CVE-2026-26990?

LibreNMS, an auto-discovering network monitoring tool based on PHP/MySQL/SNMP, is exposed to a Time-Based Blind SQL Injection through the address parameter in the address-search.inc.php file. This vulnerability allows authenticated users to input a crafted subnet prefix that, when processed, directly modifies an SQL query without using parameter binding. As a result, attackers can manipulate the query logic, leading to potential exposure of sensitive database information by observing time-based responses. The vulnerability has been addressed in version 26.2.0.

Affected Version(s)

librenms < 26.2.0

References

https://github.com/librenms/librenms/security/advisories/...
x_refsource_CONFIRM
https://github.com/librenms/librenms/pull/18777
x_refsource_MISC
https://github.com/librenms/librenms/commit/15429580baba0...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.