Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27016 is a Stored Cross-Site Scripting (XSS) vulnerability in the LibreNMS network monitoring software, specifically in the Custom OID feature.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'unit' parameter in the Custom OID form input is not sanitized using the strip_tags() function, unlike other parameters such as 'name', 'oid', and 'datatype' which are properly sanitized."}, {'type': 'paragraph', 'content': "This unsanitized 'unit' value is stored directly in the database and later rendered in device graphs without HTML escaping, allowing attackers to inject and execute malicious scripts in users' browsers."}, {'type': 'paragraph', 'content': "An attacker with device edit permissions can exploit this by injecting malicious JavaScript into the 'unit' field, which then executes persistently for all users viewing the affected device graphs."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several security impacts including session hijacking, administrative account takeover, unauthorized actions, and persistent attacks affecting all users of the LibreNMS installation.

Because the malicious script is stored and executed in the context of the web application, it can compromise user sessions and potentially allow attackers to perform actions on behalf of legitimate users.

The vulnerability requires low privileges (device edit permissions) and user interaction, and it has a moderate severity with a CVSS v3 base score of 5.4.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the LibreNMS installation is running a vulnerable version (24.10.0 through 26.1.1) and by inspecting the Custom OID entries for the presence of unsanitized HTML or script tags in the 'unit' parameter."}, {'type': 'paragraph', 'content': "Specifically, you can look for Custom OID entries where the 'unit' field contains HTML or JavaScript code such as <script> tags, which indicates the presence of malicious payloads."}, {'type': 'paragraph', 'content': "While no explicit detection commands are provided, a practical approach is to query the LibreNMS database for Custom OID entries with suspicious content in the 'unit' field. For example, using SQL commands to search for script tags in the 'unit' column of the relevant database table."}, {'type': 'list_item', 'content': "Example SQL command to detect suspicious 'unit' values: SELECT * FROM custom_oids WHERE unit LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Check the LibreNMS version via the web interface or command line to confirm if it is within the vulnerable range.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where the vulnerability has been fixed by sanitizing the 'unit' parameter in the Custom OID form."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, review and sanitize existing Custom OID entries in the database to remove any malicious scripts or HTML tags from the 'unit' field."}, {'type': 'paragraph', 'content': 'Limit device edit permissions to trusted users only, as the vulnerability requires device edit privileges to inject malicious code.'}, {'type': 'paragraph', 'content': "Apply the patch from the official fix (e.g., the code change in includes/html/forms/customoid.inc.php that applies strip_tags() to the 'unit' input) if you are maintaining a custom or development version."}] [1, 2, 3]

Useful 0 Not Useful 0