CVE-2026-27016
Stored XSS in LibreNMS Custom OID Unit Parameter
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | From 24.10.0 (inc) to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27016 is a Stored Cross-Site Scripting (XSS) vulnerability in the LibreNMS network monitoring software, specifically in the Custom OID feature.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'unit' parameter in the Custom OID form input is not sanitized using the strip_tags() function, unlike other parameters such as 'name', 'oid', and 'datatype' which are properly sanitized."}, {'type': 'paragraph', 'content': "This unsanitized 'unit' value is stored directly in the database and later rendered in device graphs without HTML escaping, allowing attackers to inject and execute malicious scripts in users' browsers."}, {'type': 'paragraph', 'content': "An attacker with device edit permissions can exploit this by injecting malicious JavaScript into the 'unit' field, which then executes persistently for all users viewing the affected device graphs."}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts including session hijacking, administrative account takeover, unauthorized actions, and persistent attacks affecting all users of the LibreNMS installation.
Because the malicious script is stored and executed in the context of the web application, it can compromise user sessions and potentially allow attackers to perform actions on behalf of legitimate users.
The vulnerability requires low privileges (device edit permissions) and user interaction, and it has a moderate severity with a CVSS v3 base score of 5.4.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the LibreNMS installation is running a vulnerable version (24.10.0 through 26.1.1) and by inspecting the Custom OID entries for the presence of unsanitized HTML or script tags in the 'unit' parameter."}, {'type': 'paragraph', 'content': "Specifically, you can look for Custom OID entries where the 'unit' field contains HTML or JavaScript code such as <script> tags, which indicates the presence of malicious payloads."}, {'type': 'paragraph', 'content': "While no explicit detection commands are provided, a practical approach is to query the LibreNMS database for Custom OID entries with suspicious content in the 'unit' field. For example, using SQL commands to search for script tags in the 'unit' column of the relevant database table."}, {'type': 'list_item', 'content': "Example SQL command to detect suspicious 'unit' values: SELECT * FROM custom_oids WHERE unit LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Check the LibreNMS version via the web interface or command line to confirm if it is within the vulnerable range.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where the vulnerability has been fixed by sanitizing the 'unit' parameter in the Custom OID form."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, review and sanitize existing Custom OID entries in the database to remove any malicious scripts or HTML tags from the 'unit' field."}, {'type': 'paragraph', 'content': 'Limit device edit permissions to trusted users only, as the vulnerability requires device edit privileges to inject malicious code.'}, {'type': 'paragraph', 'content': "Apply the patch from the official fix (e.g., the code change in includes/html/forms/customoid.inc.php that applies strip_tags() to the 'unit' input) if you are maintaining a custom or development version."}] [1, 2, 3]