Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Published: 2026-02-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized data access and database manipulation
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from the ajax_table.php endpoint in LibreNMS versions 25.12.0 and earlier. The application splits an IPv6 address into its address and prefix parts, but concatenates the prefix directly into an SQL statement without validation or parameterization. This allows an attacker to inject arbitrary SQL commands, leading to unauthorized read or modification of database contents. Such a flaw can compromise the confidentiality and integrity of monitoring data and could facilitate further attacks against the underlying system.

Affected Systems

LibreNMS, the open‑source network monitoring platform, is affected when running 25.12.0 through 26.1.x. These releases contain the vulnerable ajax_table.php implementation. The issue was addressed in release 26.2.0, which removes the unparameterized query construction. Only installations of LibreNMS older than 26.2.0 need remediation.

Risk and Exploitability

With a CVSS score of 9.3 this flaw is considered critical, while the EPSS score of less than 1 % indicates a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to access the web interface that hosts ajax_table.php and supply a crafted IPv6 address string; the malformed prefix component can be used to inject SQL statements that the server executes. Because the flaw permits arbitrary query execution, the impact could be full database compromise if successful. The low EPSS suggests the exploit is not widely available, but the high CVSS underscores the gravity of the potential damage.

Generated by OpenCVE AI on April 17, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreNMS to version 26.2.0 or later, which removes the vulnerable query logic.
  • If an upgrade is not immediately possible, restrict access to the ajax_table.php endpoint to trusted administrative users and disable the IPv6 prefix search feature until a patch is applied.
  • Add input validation to ensure IPv6 prefixes are numeric and within valid bounds before concatenation, or replace the query with a prepared statement that uses parameterized inputs.

Generated by OpenCVE AI on April 17, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h3rv-q4rq-pqcv LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Librenms
Librenms librenms
Vendors & Products Librenms
Librenms librenms

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Title LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Librenms Librenms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:35:06.925Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26988

cve-icon Vulnrichment

Updated: 2026-02-20T15:31:40.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:54.550

Modified: 2026-02-20T16:31:42.897

Link: CVE-2026-26988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses