Description
LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.
Published: 2026-04-13
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script execution (Cross‑Site Scripting) enabled by authenticated users
Action: Patch
AI Analysis

Impact

The vulnerability is an authenticated Cross‑Site Scripting flaw in the showconfig page of LibreNMS. Only users with administrative privileges can inject malicious code; once the code runs it can affect any other user who subsequently visits the same page. The injected script can steal session cookies, modify page content, or perform other malicious actions within the victim’s browser. This is a typical instance of CWE‑79, where unsanitized user input is reflected in web content.

Affected Systems

LibreNMS releases prior to version 26.3.0 are impacted when accessed via the web interface on the showconfig page. The flaw is limited to the LibreNMS product from the librenms vendor.

Risk and Exploitability

The CVSS score of 4.6 reflects a moderate impact, with no publicly reported exploitation probabilities or KEV listing. Exploitation requires valid administrative credentials, so the attack vector is an authenticated web interface. Because the vulnerability allows only client‑side code execution, it does not provide direct code execution on the server, but it can be used for user‑contamination or phishing attacks.

Generated by OpenCVE AI on April 13, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreNMS to version 26.3.0 or later

Generated by OpenCVE AI on April 13, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Authenticated Cross‑Site Scripting in LibreNMS showconfig Page

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Librenms
Librenms librenms
Vendors & Products Librenms
Librenms librenms

Mon, 13 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Librenms Librenms
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-04-13T12:59:06.750Z

Reserved: 2026-02-18T23:44:14.961Z

Link: CVE-2026-2728

cve-icon Vulnrichment

Updated: 2026-04-13T12:59:01.818Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-13T11:16:05.407

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-2728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:30Z

Weaknesses