Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.

INFO

Published Date :

2026-02-20T02:21:31.889Z

Last Modified :

2026-02-20T16:35:40.195Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26991 vulnerability.

Vendors Products
Librenms
  • Librenms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26991.

URL Resource
https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c cve-icon cve-icon
https://github.com/librenms/librenms/pull/19041 cve-icon cve-icon
https://github.com/librenms/librenms/releases/tag/26.2.0 cve-icon cve-icon
https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact