Stored Cross-Site Scripting in LibreNMS Network Monitoring Tool
CVE-2026-26992

5.1MEDIUM

Key Information:

Vendor

Librenms

Status
Librenms
Vendor
CVE Published:
20 February 2026

What is CVE-2026-26992?

LibreNMS, a widely-used network monitoring tool built on PHP/MySQL/SNMP, is vulnerable to Stored Cross-Site Scripting (XSS) in versions 26.1.1 and earlier. This vulnerability arises from insufficient sanitization of the port group name, allowing attackers with administrative privileges to execute malicious scripts. When a new port group is created, an HTTP POST request processes the name parameter without proper filtering, which can lead to harmful content being rendered to users. This security concern has been addressed in version 26.2.0, urging all users to update for enhanced protection.

Affected Version(s)

librenms < 26.2.0

References

https://github.com/librenms/librenms/security/advisories/...
x_refsource_CONFIRM
https://github.com/librenms/librenms/pull/19042
x_refsource_MISC
https://github.com/librenms/librenms/commit/882fe6f90ea50...
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.