Executive Summary

CVE-2026-26989 is a stored Cross-Site Scripting (XSS) vulnerability in LibreNMS versions up to and including 25.12.0, specifically in the Alert Rules workflow.

An attacker with administrative privileges can inject malicious JavaScript code into alert rules. This malicious script is stored and later executed in the browser context of any user who views the Alert Rules page.

The root cause is improper sanitization of user input before it is output in the alert rule display, allowing executable scripts to be injected and run.

The vulnerability requires the attacker to have authenticated admin-level access, and user interaction is needed to trigger the script execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin privileges to execute arbitrary JavaScript code in the browsers of users who access the Alert Rules page.

Such script execution can lead to theft of sensitive information, session hijacking, or performing actions on behalf of the victim user within the application.

However, the attack complexity is low but requires high privileges (admin access), and user interaction is necessary to trigger the malicious script.

The overall impact on confidentiality, integrity, and availability is rated as low, but it still poses a moderate security risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your LibreNMS installation is running version 25.12.0 or below, as these versions are affected by the stored XSS in the Alert Rules workflow.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to identify malicious script injections in the alert rules by inspecting the alert rules data, especially looking for suspicious script tags or HTML content in alert rule display fields.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to review HTTP POST requests to the `/alert-rule` endpoint for payloads containing script tags, such as `<script>alert("xss")</script>`.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires admin privileges, auditing admin activity logs for unusual alert rule creations or modifications containing HTML or JavaScript code can help detect exploitation.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but you can use tools like curl or wget to simulate POST requests to `/alert-rule` with crafted payloads to test if the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where this stored XSS vulnerability has been fixed.

If upgrading immediately is not possible, restrict administrative access to trusted users only, since the vulnerability requires admin privileges to exploit.

Review and sanitize existing alert rules to remove any suspicious or potentially malicious HTML or JavaScript content in alert rule display fields.

Apply the patch that modifies the alert rule display rendering by stripping HTML tags before escaping output, as described in the fix which uses `strip_tags()` on the alert rule display field.

Useful 0 Not Useful 0