CVE-2026-26992
Received Received - Intake
Stored XSS in LibreNMS Port Group Name Allows Admin Attack

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
librenms librenms to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26992 is a stored Cross-Site Scripting (XSS) vulnerability in LibreNMS, a network monitoring tool. The issue occurs because the port group name, which is provided by an authenticated admin user when creating a port group, is not properly sanitized. This unsanitized input is stored and later rendered in the user interface, specifically in the Delete button's JavaScript onclick handler. This allows an attacker to inject malicious JavaScript code that executes in the browsers of other users viewing the port groups."}, {'type': 'paragraph', 'content': 'The vulnerability arises from embedding the port group name directly into inline JavaScript without escaping, enabling execution of injected scripts. The issue was fixed by changing the code to store the port group name in a safe data attribute and retrieving it via the DOM API, preventing direct injection of unescaped strings into JavaScript.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with admin privileges to execute arbitrary JavaScript code in the context of other users' browsers when they interact with the port group deletion interface. This can lead to theft of sensitive information such as cookies, session tokens, or other data accessible via JavaScript."}, {'type': 'paragraph', 'content': 'The attack requires the victim to click the Delete button and confirm the action, which triggers the malicious script. The impact on confidentiality and integrity is considered low, and there is no impact on availability. However, it can be used to perform malicious actions like session hijacking or unauthorized actions on behalf of the victim.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your LibreNMS installation is running version 26.1.1 or below, as these versions are affected by the stored Cross-Site Scripting (XSS) issue in the port group name handling.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor HTTP POST requests to the "/port-groups" endpoint, specifically looking for suspicious or malicious payloads in the "name" parameter that could contain JavaScript or HTML code.'}, {'type': 'paragraph', 'content': 'For example, you can use network monitoring or web server logs to search for POST requests with suspicious content:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find POST requests to /port-groups containing suspicious script tags or JavaScript payloads:'}, {'type': 'list_item', 'content': "grep -i 'POST /port-groups' /var/log/apache2/access.log | grep -i '<script\\|javascript:'"}, {'type': 'list_item', 'content': 'Alternatively, you can use tools like Wireshark or tcpdump to capture HTTP traffic and filter for POST requests to /port-groups.'}, {'type': 'paragraph', 'content': 'Additionally, verifying the LibreNMS version installed can be done via the application interface or command line to ensure it is at least version 26.2.0, where the vulnerability is fixed.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective step to mitigate this vulnerability is to upgrade LibreNMS to version 26.2.0 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves proper sanitization of the port group name and changes in how the name is handled in the deletion button's JavaScript, preventing stored XSS attacks."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict admin privileges to trusted users only, as exploitation requires admin-level access.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit port group creation activities for suspicious input and avoid clicking on Delete buttons for port groups with untrusted or suspicious names.'}, {'type': 'paragraph', 'content': 'Applying the patch from the official repository or pull request that addresses this vulnerability can also mitigate the risk if upgrading the full application is delayed.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart