CVE-2026-30480
Local File Inclusion in LibreNMS NFSen Module Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | 22.11.0-23-gd091788f2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal, potentially leading to information disclosure, privilege escalation, and remote code execution.
Such unauthorized access and potential data exposure could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
Therefore, exploitation of this vulnerability could result in violations of data protection requirements and increase the risk of regulatory penalties.
Can you explain this vulnerability to me?
CVE-2026-30480 is a Local File Inclusion (LFI) vulnerability found in the NFSen module of LibreNMS, specifically in the file nfsen.inc.php. It occurs because the application directly uses user input from the nfsen parameter in an include() statement without proper sanitization or validation.
The vulnerability allows an authenticated attacker to use path traversal sequences (like ../) in the nfsen parameter to include arbitrary PHP files from the server filesystem. This happens because the only check performed is to verify if the file exists, but it does not prevent traversal outside the intended directory.
For example, an attacker can manipulate the URL parameter to include sensitive or unintended files, potentially leading to information disclosure, privilege escalation, or even remote code execution if the attacker can control the content of the included files.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts if exploited by an authenticated attacker:
- Information disclosure by including sensitive PHP files that reveal internal data.
- Privilege escalation, allowing a low-privileged user to access admin-only pages or functions.
- Potential remote code execution if the attacker can control the content of the included files.
Overall, it compromises the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the NFSen module with path traversal payloads in the nfsen parameter while authenticated. For example, by navigating to the Netflow tab in LibreNMS and injecting a payload such as nfsen=..%2f..%2fapi-access in the URL, you can observe if unintended PHP files are included.
Detection involves verifying if the application improperly includes files based on unsanitized input. Monitoring web server logs for requests containing suspicious path traversal sequences like ../ or encoded equivalents (%2f) in the nfsen parameter can also help identify exploitation attempts.
Suggested commands to detect this vulnerability include using curl or wget to send crafted requests with path traversal payloads to the vulnerable endpoint, for example:
- curl -i -b 'auth_cookie=your_auth_cookie' 'http://your-libreNMS-server/device/device_id/nfsen?nfsen=..%2f..%2fapi-access'
- grep -r 'nfsen=' /var/log/apache2/access.log | grep '\.\./' # To find suspicious requests in logs
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict validation and sanitization of the nfsen parameter before including any files. Specifically, use a whitelist of allowed page names to ensure only legitimate files are included.
For example, modify the code to check if the requested page is in an allowed list before including it, as shown below:
- Use a whitelist array such as ['general', 'stats', 'channel'] and include files only if the parameter matches one of these.
- Alternatively, use PHP's basename() function to strip path traversal characters from the input before inclusion.
Additionally, restrict access to the vulnerable module to trusted authenticated users only, and monitor for suspicious activity involving path traversal payloads.