CVE-2026-27016 - Vulnerability Details

- LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.

Published: 2026-02-20

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LibreNMS, an auto‑discovery network monitoring tool, stores the value of the unit field in a Custom OID without applying strip_tags() or HTML escaping. The stored value is later rendered on web pages, so an attacker who can inject a crafted unit string can cause arbitrary JavaScript to execute in the browsers of any user who views the page, leading to cookie theft, session hijacking, or further client‑side attacks.

Affected Systems

Versions 24.10.0 through 26.1.1 of the Librenms application are affected. The vulnerability is limited to the Librenms:Librenms product line and is resolved in release 26.2.0.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of being actively exploited. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to create or edit a Custom OID via the web interface, a privilege normally granted to highly trusted administrators. Once a malicious unit value is stored, any user who views the corresponding page will have the script executed in their browser. The impact is confined to the affected users’ browsers, but the attack can be amplified if social engineering is used to lure other users to the compromised page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

librenms

affected

Version	Status	Constraints
`>= 24.10.0, < 26.2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Librenms

100%

Version	Status	Scheme	Platform
`[24.10.0,26.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Librenms to version 26.2.0 or later.
Delete or sanitize previously stored unit values that may contain malicious scripts.
Restrict Custom OID creation/editing to trusted administrators and enforce stricter input validation.

Generated by OpenCVE AI on April 18, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-fqx6-693c-f55g	LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00004.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335
https://github.com/librenms/librenms/pull/19040
https://github.com/librenms/librenms/releases/tag/26.2.0
https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g

History

Fri, 20 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:librenms:librenms::::::::

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Librenms Librenms librenms
Vendors & Products		Librenms Librenms librenms

Fri, 20 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.
Title		LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()
Weaknesses		CWE-116 CWE-79
References		https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335 https://github.com/librenms/librenms/pull/19040 https://github.com/librenms/librenms/releases/tag/26.2.0 https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Librenms Librenms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-20T01:34:11.241Z

Updated: 2026-02-20T15:34:34.942Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27016

Vulnrichment

Updated: 2026-02-20T15:26:34.413Z

NVD

Status : Analyzed

Published: 2026-02-20T02:16:55.140

Modified: 2026-02-20T16:22:29.830

Link: CVE-2026-27016

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object