CVE-2026-26988

Received Received - Intake

SQL Injection in LibreNMS ajax_table.php Enables Data Access

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-20

Last Modified

2026-02-20

Generated

2026-06-16

AI Q&A

2026-02-20

EPSS Evaluated

2026-06-15

NVD

CVE-2026-26988

EUVD

EUVD-2026-8039

Affected Vendors & Products

Vendor	Product	Version / Range
librenms	librenms	to 26.2.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Impact Analysis

This vulnerability allows an attacker to execute arbitrary SQL commands on the LibreNMS database.

As a result, an attacker could gain unauthorized access to sensitive data or manipulate the database, potentially compromising the integrity and confidentiality of the monitored network information.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26988 is a high-severity SQL Injection vulnerability found in the ajax_table.php endpoint of LibreNMS versions 25.12.0 and below.'}, {'type': 'paragraph', 'content': "The vulnerability occurs in the IPv6 address search functionality when the 'search_type' parameter is set to 'ipv6'. The application splits the user-supplied 'address' parameter into two parts: an address and a prefix. The prefix portion is then directly concatenated into the SQL query string without any sanitization or parameterization."}, {'type': 'paragraph', 'content': 'This improper handling allows an attacker to inject arbitrary SQL commands by including malicious characters such as single quotes in the prefix input, which can manipulate the SQL query structure.'}, {'type': 'paragraph', 'content': 'Unlike the IPv4 search, which uses prepared statements, the IPv6 search block fails to neutralize special SQL elements, leading to this SQL Injection vulnerability.'}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the ajax_table.php endpoint of LibreNMS for SQL injection in the IPv6 address search functionality. Specifically, you can send crafted HTTP POST requests with the parameter search_type set to ipv6 and the address parameter containing malicious input designed to break the SQL query.'}, {'type': 'paragraph', 'content': 'An example command using curl to test for this vulnerability is:'}, {'type': 'list_item', 'content': 'curl -X POST -d "search_type=ipv6&address=snow/1nd\'" http://<librenms-server>/ajax_table.php'}, {'type': 'paragraph', 'content': 'If the server responds with an SQL error or unexpected behavior, it indicates the presence of the SQL injection vulnerability.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where this SQL injection vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the ajax_table.php endpoint to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious input patterns targeting the address parameter with IPv6 prefix injections.

Compliance Impact

I don't know

Hi! I’m here to help you understand CVE-2026-26988. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-26988

SQL Injection in LibreNMS ajax_table.php Enables Data Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart