Stored Cross-Site Scripting Vulnerability in LibreNMS Network Monitoring Tool
CVE-2026-26991

5.1MEDIUM

Key Information:

Vendor

Librenms

Status
Librenms
Vendor
CVE Published:
20 February 2026

What is CVE-2026-26991?

LibreNMS, a PHP/MySQL/SNMP based network monitoring tool, is vulnerable to Stored Cross-Site Scripting (XSS) in versions 26.1.1 and below. Due to a lack of input sanitization, attackers with administrative privileges can inject malicious scripts via the device group name when adding a new group. This vulnerability allows unauthorized actions when users interact with the affected entries. The issue was resolved in version 26.2.0, emphasizing the need for users to update to this version to mitigate the risks associated with XSS attacks.

Affected Version(s)

librenms < 26.2.0

References

https://github.com/librenms/librenms/security/advisories/...
x_refsource_CONFIRM
https://github.com/librenms/librenms/pull/19041
x_refsource_MISC
https://github.com/librenms/librenms/commit/64b31da444369...
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.