Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.
Published: 2026-02-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

LibreNMS, a PHP/MySQL/SNMP network monitoring platform, has a stored cross‑site scripting flaw in versions 26.1.1 and earlier. The vulnerability arises when the name of a port group is accepted without sanitization during creation. An attacker with administrative access can inject crafted JavaScript into the name field. Once the port group is stored, any subsequent viewing of the group—such as on the listing page with Edit and Delete buttons—will execute the embedded script in the context of other users’ browsers, potentially enabling session hijacking, credential theft, or defacement of the application for users who view the page.

Affected Systems

The vulnerability impacts LibreNMS deployments running version 26.1.1 or earlier. The vendor product is LibreNMS, an open‑source network monitoring system. The affected components are the web interface handling POST requests to /port‑groups. The fix is available in release 26.2.0.

Risk and Exploitability

The CVSS base score is 5.1, indicating moderate severity. EPSS shows an exploitation probability of less than 1%, suggesting the likelihood of exploitation is low. The vulnerability is not listed in CISA's KEV catalog. The attack vector requires the attacker to have administrative privileges to create a malicious port group, so compromised or mis‑privileged accounts pose the primary risk. A successful exploit would allow an attacker to compromise the sessions of other users who examine the port‑group list.

Generated by OpenCVE AI on April 17, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreNMS to version 26.2.0 or later to apply the fix that sanitizes port‑group names.
  • Review existing port groups created before the patch; delete any with suspicious or non‑ASCII characters and recreate them with safe names.
  • Limit the creation or modification of port groups to a narrow set of trusted administrators and enforce least‑privilege access controls.

Generated by OpenCVE AI on April 17, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-93fx-g747-695x LibreNMS /port-groups name Stored Cross-Site Scripting
History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Librenms
Librenms librenms
Vendors & Products Librenms
Librenms librenms

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.
Title LibreNMS has Stored Cross-Site Scripting via unsanitized /port-groups name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Librenms Librenms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:53:20.444Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26992

cve-icon Vulnrichment

Updated: 2026-02-20T15:53:14.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:16:00.990

Modified: 2026-02-20T16:20:34.507

Link: CVE-2026-26992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses