Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.
Published: 2026-02-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabled by authenticated admin‑level device group creation
Action: Patch Now
AI Analysis

Impact

LibreNMS stores the device group name on the server with no HTML escaping. An administrator who creates or edits a device group can inject arbitrary JavaScript that is then rendered when the group list is viewed by any logged‑in user. The stored XSS can be leveraged for session hijacking, credential theft, or in‑browser code execution, potentially allowing a privileged attacker to compromise other users’ sessions and access sensitive network information.

Affected Systems

The vulnerability exists in LibreNMS 26.1.1 and earlier releases. All installations of the LibreNMS monitoring platform that have not applied the 26.2.0 update are affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% suggests that exploit prevalence is low, and the vulnerability is not listed in CISA’s KEV catalog, meaning no known widespread exploitation. The attack requires administrative credentials to create a device group, and the malicious payload is stored and served back to any user who views the group list. Successful exploitation requires an authenticated session with administrative rights and relies on the web UI’s rendering of the unsanitized name field.

Generated by OpenCVE AI on April 18, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreNMS to version 26.2.0 or later to deploy the vendor fix
  • Sanitize the device group name field by escaping or stripping HTML tags prior to storage as an interim workaround
  • Audit existing device group names and remove any that contain injected scripting or other suspicious content

Generated by OpenCVE AI on April 18, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5pqf-54qp-32wx LibreNMS /device-groups name Stored Cross-Site Scripting
History

Sat, 21 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Librenms
Librenms librenms
Vendors & Products Librenms
Librenms librenms

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.
Title LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Librenms Librenms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T16:35:40.195Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26991

cve-icon Vulnrichment

Updated: 2026-02-20T16:35:34.609Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:15:59.977

Modified: 2026-02-20T16:21:10.527

Link: CVE-2026-26991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses