Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Published: 2026-02-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure via Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a time‑based blind SQL injection found in the address-search.inc.php file of LibreNMS. When a crafted subnet prefix is supplied through the address parameter, the prefix is concatenated into an SQL query without parameter binding, allowing an authenticated user to manipulate the query logic. By measuring response delays, an attacker can infer database contents, potentially exposing sensitive configuration and inventory data. This flaw is a classic example of SQL injection (CWE‑89).

Affected Systems

Affected systems are instances of LibreNMS version 25.12.0 and earlier. The issue was fixed in version 26.2.0, so any deployment that has not yet applied the latest update remains vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity assessment. The EPSS score is less than 1%, meaning the proportion of attacks observed is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable only by users who can authenticate to the application; an attacker must have valid credentials but can be any authenticated user. The main risk is data disclosure through time‑based inference.

Generated by OpenCVE AI on April 17, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreNMS to version 26.2.0 or later to eliminate the injection vector.
  • If an immediate upgrade is not possible, limit the use of the address search feature to users with the highest level of trust and enforce strict access control.
  • Apply the patch identified in the GitHub commit 15429580baba03ed1dd377bada1bde4b7a1175a1 or equivalent fixes to replace string concatenation with parameterized queries.

Generated by OpenCVE AI on April 17, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-79q9-wc6p-cf92 LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
History

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Librenms
Librenms librenms
Vendors & Products Librenms
Librenms librenms

Fri, 20 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Title LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Librenms Librenms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:34:46.036Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26990

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:16.003Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:54.870

Modified: 2026-02-20T16:24:36.787

Link: CVE-2026-26990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses