CVE-2026-26992
Stored XSS in LibreNMS Port Group Name Allows Admin Attack
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26992 is a stored Cross-Site Scripting (XSS) vulnerability in LibreNMS, a network monitoring tool. The issue occurs because the port group name, which is provided by an authenticated admin user when creating a port group, is not properly sanitized. This unsanitized input is stored and later rendered in the user interface, specifically in the Delete button's JavaScript onclick handler. This allows an attacker to inject malicious JavaScript code that executes in the browsers of other users viewing the port groups."}, {'type': 'paragraph', 'content': 'The vulnerability arises from embedding the port group name directly into inline JavaScript without escaping, enabling execution of injected scripts. The issue was fixed by changing the code to store the port group name in a safe data attribute and retrieving it via the DOM API, preventing direct injection of unescaped strings into JavaScript.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with admin privileges to execute arbitrary JavaScript code in the context of other users' browsers when they interact with the port group deletion interface. This can lead to theft of sensitive information such as cookies, session tokens, or other data accessible via JavaScript."}, {'type': 'paragraph', 'content': 'The attack requires the victim to click the Delete button and confirm the action, which triggers the malicious script. The impact on confidentiality and integrity is considered low, and there is no impact on availability. However, it can be used to perform malicious actions like session hijacking or unauthorized actions on behalf of the victim.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your LibreNMS installation is running version 26.1.1 or below, as these versions are affected by the stored Cross-Site Scripting (XSS) issue in the port group name handling.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor HTTP POST requests to the "/port-groups" endpoint, specifically looking for suspicious or malicious payloads in the "name" parameter that could contain JavaScript or HTML code.'}, {'type': 'paragraph', 'content': 'For example, you can use network monitoring or web server logs to search for POST requests with suspicious content:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find POST requests to /port-groups containing suspicious script tags or JavaScript payloads:'}, {'type': 'list_item', 'content': "grep -i 'POST /port-groups' /var/log/apache2/access.log | grep -i '<script\\|javascript:'"}, {'type': 'list_item', 'content': 'Alternatively, you can use tools like Wireshark or tcpdump to capture HTTP traffic and filter for POST requests to /port-groups.'}, {'type': 'paragraph', 'content': 'Additionally, verifying the LibreNMS version installed can be done via the application interface or command line to ensure it is at least version 26.2.0, where the vulnerability is fixed.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective step to mitigate this vulnerability is to upgrade LibreNMS to version 26.2.0 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves proper sanitization of the port group name and changes in how the name is handled in the deletion button's JavaScript, preventing stored XSS attacks."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict admin privileges to trusted users only, as exploitation requires admin-level access.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit port group creation activities for suspicious input and avoid clicking on Delete buttons for port groups with untrusted or suspicious names.'}, {'type': 'paragraph', 'content': 'Applying the patch from the official repository or pull request that addresses this vulnerability can also mitigate the risk if upgrading the full application is delayed.'}] [1, 2, 3]