CVE-2026-26991
Received Received - Intake
Stored XSS in LibreNMS Device Group Name Allows Admin Attack

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26991
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
librenms librenms to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26991 is a stored cross-site scripting (XSS) vulnerability in LibreNMS, a network monitoring tool. It affects versions 26.1.1 and below. The vulnerability occurs because the device group name, which is submitted via an HTTP POST request to the "/device-groups" endpoint, is not properly sanitized. An attacker with admin privileges can insert malicious HTML or JavaScript code into the device group name.'}, {'type': 'paragraph', 'content': "This malicious code is stored and later executed in the context of other users viewing the device groups management interface, specifically through the delete button's onclick JavaScript handler. This allows the attacker to execute scripts in other users' browsers, potentially stealing session cookies or performing other malicious actions."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 26.2.0 by changing how the device group name is handled in the HTML and JavaScript, preventing direct injection of malicious scripts.'}] [1, 3]

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the browsers of users who view the affected device groups page. Specifically, an attacker with admin privileges can inject scripts that steal session cookies from other authenticated users.

The stolen session cookies can be used for session hijacking, allowing the attacker to impersonate legitimate users and potentially gain unauthorized access to sensitive information or perform unauthorized actions within the LibreNMS system.

The impact includes low confidentiality and integrity loss, but no impact on availability. The attack requires an attacker to have admin privileges and some user interaction (confirmation on delete).

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the "/device-groups" endpoint, specifically looking for device group names containing suspicious or malicious HTML/JavaScript code that could trigger stored cross-site scripting (XSS).'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves an authenticated user with admin privileges submitting a crafted device group name, detection involves inspecting the content of the "name" parameter in POST requests to "/device-groups" for potentially unsafe input.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include using web server logs or network traffic capture tools (e.g., tcpdump, Wireshark) to filter POST requests to "/device-groups" and then searching for suspicious payloads in the "name" parameter.'}, {'type': 'list_item', 'content': "Example command to capture HTTP POST requests to /device-groups using tcpdump: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/device-groups'"}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server access logs to find POST requests to /device-groups and inspect the "name" parameter for suspicious scripts: grep \'POST /device-groups\' /var/log/apache2/access.log | grep -i \'<script>\''}, {'type': 'paragraph', 'content': 'Additionally, reviewing the device groups created in the LibreNMS interface for any unusual or suspicious names containing script tags or HTML can help identify exploitation attempts.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where the vulnerability has been fixed by properly sanitizing the device group name input.

If upgrading immediately is not possible, restrict admin user privileges to trusted personnel only, as exploitation requires admin-level access.

Monitor and audit device group names for suspicious or malicious content and remove any entries that contain potentially harmful scripts.

Apply any available patches or pull requests related to this vulnerability, such as the fix merged in pull request #19041.

Educate users with admin privileges about the risks of entering untrusted input in device group names and encourage cautious behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart