CVE-2026-2728
Authenticated XSS in LibreNMS showconfig Page Before
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | to 26.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated Cross-site Scripting (XSS) issue found in LibreNMS versions before 26.3.0. It occurs on the showconfig page and requires the attacker to have administrative privileges to exploit it.
If successfully exploited, the attacker can perform XSS attacks against other users who have access to the showconfig page.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with administrative privileges could execute Cross-site Scripting attacks on other users accessing the showconfig page.
This could lead to unauthorized actions being performed on behalf of other users, theft of session tokens, or other malicious activities within the context of the affected application.