CVE-2026-26989 (GCVE-0-2026-26989)
Vulnerability from cvelistv5 – Published: 2026-02-20 01:25 – Updated: 2026-02-20 15:34
VLAI?
Title
LibreNMS has Stored XSS in Alert Rule
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:26:36.141583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:34:55.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "librenms",
"vendor": "librenms",
"versions": [
{
"status": "affected",
"version": "\u003c 26.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T01:25:31.936Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7"
},
{
"name": "https://github.com/librenms/librenms/pull/19039",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/librenms/librenms/pull/19039"
},
{
"name": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58"
},
{
"name": "https://github.com/librenms/librenms/releases/tag/26.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
}
],
"source": {
"advisory": "GHSA-6xmx-xr9p-58p7",
"discovery": "UNKNOWN"
},
"title": "LibreNMS has Stored XSS in Alert Rule"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26989",
"datePublished": "2026-02-20T01:25:31.936Z",
"dateReserved": "2026-02-17T01:41:24.606Z",
"dateUpdated": "2026-02-20T15:34:55.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26989\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T02:16:54.710\",\"lastModified\":\"2026-02-20T16:25:20.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.2.0\",\"matchCriteriaId\":\"C0838E1C-0369-4B31-9B51-83A5D2A7CAC9\"}]}]}],\"references\":[{\"url\":\"https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/librenms/librenms/pull/19039\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/librenms/librenms/releases/tag/26.2.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26989\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:26:36.141583Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:26:37.884Z\"}}], \"cna\": {\"title\": \"LibreNMS has Stored XSS in Alert Rule\", \"source\": {\"advisory\": \"GHSA-6xmx-xr9p-58p7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7\", \"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/librenms/librenms/pull/19039\", \"name\": \"https://github.com/librenms/librenms/pull/19039\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58\", \"name\": \"https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/releases/tag/26.2.0\", \"name\": \"https://github.com/librenms/librenms/releases/tag/26.2.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T01:25:31.936Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26989\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:34:55.873Z\", \"dateReserved\": \"2026-02-17T01:41:24.606Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T01:25:31.936Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0174
Vulnerability from certfr_avis - Published: 2026-02-17 - Updated: 2026-02-17
De multiples vulnérabilités ont été découvertes dans LibreNMS. Elles permettent à un attaquant de provoquer une injection SQL (SQLi) et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "LibreNMS versions ant\u00e9rieures \u00e0 26.2.0",
"product": {
"name": "LibreNMS",
"vendor": {
"name": "LibreNMS",
"scada": false
}
}
},
{
"description": "LibreNMS versions post\u00e9rieures \u00e0 24.10.0 et ant\u00e9rieures \u00e0 26.2.0 pour composer",
"product": {
"name": "LibreNMS",
"vendor": {
"name": "LibreNMS",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-26988",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26988"
},
{
"name": "CVE-2026-26990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26990"
},
{
"name": "CVE-2026-26989",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26989"
},
{
"name": "CVE-2026-26987",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26987"
}
],
"initial_release_date": "2026-02-17T00:00:00",
"last_revision_date": "2026-02-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0174",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection SQL (SQLi)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans LibreNMS. Elles permettent \u00e0 un attaquant de provoquer une injection SQL (SQLi) et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans LibreNMS",
"vendor_advisories": [
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-79q9-wc6p-cf92",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-fqx6-693c-f55g",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-h3rv-q4rq-pqcv",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-93fx-g747-695x",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-5pqf-54qp-32wx",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-6xmx-xr9p-58p7",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-gqx7-99jw-6fpr",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr"
}
]
}
GHSA-6XMX-XR9P-58P7
Vulnerability from github – Published: 2026-02-18 22:30 – Updated: 2026-02-20 16:50
VLAI?
Summary
LibreNMS has a Stored XSS in Alert Rule
Details
Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.12.0) in the creation of Alert Rules. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the alert rules page is viewed.
Details
The stored JavaScript is displayed at line 63 of inlcudes/html/modal/alert_rule_list.inc.php.
<td><i>" . e($rule_display) . "</i></td>
PoC
Request PoC:
POST /alert-rule HTTP/1.1
Host: 192.168.236.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-TOKEN: FaBY9sq0bzXpc3mlsvyRdvg0PLInwBXPnEhHNrZF
X-Requested-With: XMLHttpRequest
Content-Length: 718
Origin: http://192.168.236.131
Connection: keep-alive
Referer: http://192.168.236.131/device/device=1/tab=edit/section=alert-rules
Cookie: XSRF-TOKEN=eyJpdiI6ImhpdDNwV29nZE1lYzc0NGxyK2dGK2c9PSIsInZhbHVlIjoiUkpXUUlMYTZwT2VaZmNPZExKcHNLQWxwOFVjaGM3Z2hzNVBSa2thTEluSDdBL3Q0amVURGp1Q0tjYm15akw1QmJacDRqY3Y1eTNzS3l1VSsvcjVUaTRIalBKQzVpUlRySktLTHlnTHQxa29NNzlxaXMxQzdsalpUeDNaWTRKSjkiLCJtYWMiOiIwZGQ4ZmEzZmFmZTJkOGIyZWIxOGVhZjE0MTU4ZWI5ZjFlYTI0Y2NkNjcwYTU2Y2JkMTM5MDAxZDg1YWIzY2M5IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImVWbzBKRU9IaURzOUJ6OVNjREVGbFE9PSIsInZhbHVlIjoiRlJPckhRRG4yZjFiUjdGMlZTUXlhNXArT0pMcUdQY3RaV1EvRWJZdGNWUFUzYjhVaWxLS1hFclpacmFHOGQyNllFaGF1ckRYQWZKNHdzNEQ5RHFmdzh3WEY3UFZvdGlqc3RQVUc2Mk1QYTZ0c045YWt0TG0rS2ttU0ZpV3NQMXkiLCJtYWMiOiI1YWM1OWM5MGMwOTcyNDk2OTU1NTBlY2ExZjQ4M2M1YmQ3ZWFlNzQ5NDVmZTgxOTEyMjNkNjJhM2EzZjY1OWE5IiwidGFnIjoiIn0%3D
Priority: u=0
_token=FaBY9sq0bzXpc3mlsvyRdvg0PLInwBXPnEhHNrZF&device_id=1&device_name=127.0.0.1&rule_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22xss%5C%22)%3C%2Fscript%3E%22%7D%5D%2C%22valid%22%3Atrue%7D&name=Test+rule&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&maps%5B%5D=1&proc=¬es=&adv_query=
Steps to reproduce:
1. Create and save an alert rule within a device with the following values:
- Injected JavaScript is executed:
Impact
Type: Stored Cross-Site Scripting (XSS) Affected users: Only accounts with the admin role which can edit a device's alert rules are affected. Attackers need: Authenticated admin-level access.
Severity ?
4.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.12.0"
},
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26989"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:30:32Z",
"nvd_published_at": "2026-02-20T02:16:54Z",
"severity": "MODERATE"
},
"details": "### Summary\nA stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (\u003c= 25.12.0) in the creation of Alert Rules. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the alert rules page is viewed.\n\n### Details\nThe stored JavaScript is displayed at line 63 of `inlcudes/html/modal/alert_rule_list.inc.php`.\n```\n\u003ctd\u003e\u003ci\u003e\" . e($rule_display) . \"\u003c/i\u003e\u003c/td\u003e\n```\n\n### PoC\n\nRequest PoC:\n```\nPOST /alert-rule HTTP/1.1\nHost: 192.168.236.131\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-CSRF-TOKEN: FaBY9sq0bzXpc3mlsvyRdvg0PLInwBXPnEhHNrZF\nX-Requested-With: XMLHttpRequest\nContent-Length: 718\nOrigin: http://192.168.236.131\nConnection: keep-alive\nReferer: http://192.168.236.131/device/device=1/tab=edit/section=alert-rules\nCookie: XSRF-TOKEN=eyJpdiI6ImhpdDNwV29nZE1lYzc0NGxyK2dGK2c9PSIsInZhbHVlIjoiUkpXUUlMYTZwT2VaZmNPZExKcHNLQWxwOFVjaGM3Z2hzNVBSa2thTEluSDdBL3Q0amVURGp1Q0tjYm15akw1QmJacDRqY3Y1eTNzS3l1VSsvcjVUaTRIalBKQzVpUlRySktLTHlnTHQxa29NNzlxaXMxQzdsalpUeDNaWTRKSjkiLCJtYWMiOiIwZGQ4ZmEzZmFmZTJkOGIyZWIxOGVhZjE0MTU4ZWI5ZjFlYTI0Y2NkNjcwYTU2Y2JkMTM5MDAxZDg1YWIzY2M5IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImVWbzBKRU9IaURzOUJ6OVNjREVGbFE9PSIsInZhbHVlIjoiRlJPckhRRG4yZjFiUjdGMlZTUXlhNXArT0pMcUdQY3RaV1EvRWJZdGNWUFUzYjhVaWxLS1hFclpacmFHOGQyNllFaGF1ckRYQWZKNHdzNEQ5RHFmdzh3WEY3UFZvdGlqc3RQVUc2Mk1QYTZ0c045YWt0TG0rS2ttU0ZpV3NQMXkiLCJtYWMiOiI1YWM1OWM5MGMwOTcyNDk2OTU1NTBlY2ExZjQ4M2M1YmQ3ZWFlNzQ5NDVmZTgxOTEyMjNkNjJhM2EzZjY1OWE5IiwidGFnIjoiIn0%3D\nPriority: u=0\n\n_token=FaBY9sq0bzXpc3mlsvyRdvg0PLInwBXPnEhHNrZF\u0026device_id=1\u0026device_name=127.0.0.1\u0026rule_id=\u0026builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22xss%5C%22)%3C%2Fscript%3E%22%7D%5D%2C%22valid%22%3Atrue%7D\u0026name=Test+rule\u0026builder_rule_0_filter=access_points.accesspoint_id\u0026builder_rule_0_operator=equal\u0026builder_rule_0_value_0=%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E\u0026severity=warning\u0026count=1\u0026delay=1m\u0026interval=5m\u0026recovery=on\u0026acknowledgement=on\u0026maps%5B%5D=1\u0026proc=\u0026notes=\u0026adv_query=\n```\n\nSteps to reproduce:\n1. Create and save an alert rule within a device with the following values:\n\u003cimg width=\"893\" height=\"325\" alt=\"image\" src=\"https://github.com/user-attachments/assets/33bdb9a6-7c6c-4fd4-9e8e-b845cf9600ea\" /\u003e\n\n2. Injected JavaScript is executed:\n\u003cimg width=\"1104\" height=\"565\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3d45c686-72e4-458a-93f6-e7fb749b966b\" /\u003e\n\n\n\n### Impact\nType: Stored Cross-Site Scripting (XSS)\nAffected users: Only accounts with the admin role which can edit a device\u0027s alert rules are affected.\nAttackers need: Authenticated admin-level access.",
"id": "GHSA-6xmx-xr9p-58p7",
"modified": "2026-02-20T16:50:54Z",
"published": "2026-02-18T22:30:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/pull/19039"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS has a Stored XSS in Alert Rule"
}
FKIE_CVE-2026-26989
Vulnerability from fkie_nvd - Published: 2026-02-20 02:16 - Updated: 2026-02-20 16:25
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0838E1C-0369-4B31-9B51-83A5D2A7CAC9",
"versionEndExcluding": "26.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0."
}
],
"id": "CVE-2026-26989",
"lastModified": "2026-02-20T16:25:20.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-20T02:16:54.710",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/librenms/librenms/pull/19039"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…