CVE-2026-26991
Stored XSS in LibreNMS Device Group Name Allows Admin Attack
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26991 is a stored cross-site scripting (XSS) vulnerability in LibreNMS, a network monitoring tool. It affects versions 26.1.1 and below. The vulnerability occurs because the device group name, which is submitted via an HTTP POST request to the "/device-groups" endpoint, is not properly sanitized. An attacker with admin privileges can insert malicious HTML or JavaScript code into the device group name.'}, {'type': 'paragraph', 'content': "This malicious code is stored and later executed in the context of other users viewing the device groups management interface, specifically through the delete button's onclick JavaScript handler. This allows the attacker to execute scripts in other users' browsers, potentially stealing session cookies or performing other malicious actions."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 26.2.0 by changing how the device group name is handled in the HTML and JavaScript, preventing direct injection of malicious scripts.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts in the browsers of users who view the affected device groups page. Specifically, an attacker with admin privileges can inject scripts that steal session cookies from other authenticated users.
The stolen session cookies can be used for session hijacking, allowing the attacker to impersonate legitimate users and potentially gain unauthorized access to sensitive information or perform unauthorized actions within the LibreNMS system.
The impact includes low confidentiality and integrity loss, but no impact on availability. The attack requires an attacker to have admin privileges and some user interaction (confirmation on delete).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the "/device-groups" endpoint, specifically looking for device group names containing suspicious or malicious HTML/JavaScript code that could trigger stored cross-site scripting (XSS).'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves an authenticated user with admin privileges submitting a crafted device group name, detection involves inspecting the content of the "name" parameter in POST requests to "/device-groups" for potentially unsafe input.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include using web server logs or network traffic capture tools (e.g., tcpdump, Wireshark) to filter POST requests to "/device-groups" and then searching for suspicious payloads in the "name" parameter.'}, {'type': 'list_item', 'content': "Example command to capture HTTP POST requests to /device-groups using tcpdump: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/device-groups'"}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server access logs to find POST requests to /device-groups and inspect the "name" parameter for suspicious scripts: grep \'POST /device-groups\' /var/log/apache2/access.log | grep -i \'<script>\''}, {'type': 'paragraph', 'content': 'Additionally, reviewing the device groups created in the LibreNMS interface for any unusual or suspicious names containing script tags or HTML can help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where the vulnerability has been fixed by properly sanitizing the device group name input.
If upgrading immediately is not possible, restrict admin user privileges to trusted personnel only, as exploitation requires admin-level access.
Monitor and audit device group names for suspicious or malicious content and remove any entries that contain potentially harmful scripts.
Apply any available patches or pull requests related to this vulnerability, such as the fix merged in pull request #19041.
Educate users with admin privileges about the risks of entering untrusted input in device group names and encourage cautious behavior.