Login Sign Up

CVE-2026-26989

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in LibreNMS that allows attackers with administrative privileges to inject malicious scripts into the Alert Rules workflow. When other users view the Alert Rules page, these scripts execute in their browser context. Only LibreNMS instances running versions 25.12.0 or below are affected.

💻 Affected Systems

Products:
  • LibreNMS
Versions: 25.12.0 and below
Operating Systems: All platforms running LibreNMS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have administrative privileges in LibreNMS. Only affects users who access the Alert Rules page.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin access could steal session cookies, perform actions as other users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Privilege escalation within the LibreNMS application, session hijacking, or credential theft from authenticated users.

🟢

If Mitigated

Limited impact due to requiring administrative privileges for exploitation and affecting only users who access the Alert Rules page.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative access to LibreNMS. The vulnerability is in the Alert Rules workflow where input validation is insufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 26.2.0

Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update LibreNMS to version 26.2.0 or later using your preferred update method. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative privileges to only trusted users who absolutely need them.

Content Security Policy

all

Implement a strict Content Security Policy header to mitigate XSS impact.

🧯 If You Can't Patch

  • Remove administrative privileges from untrusted users
  • Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check LibreNMS version via web interface or by examining the installation directory. Versions 25.12.0 or below are vulnerable.

Check Version:

php /opt/librenms/includes/common.php -v

Verify Fix Applied:

Confirm LibreNMS version is 26.2.0 or later. Test Alert Rules functionality to ensure proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual modifications to Alert Rules by administrative users
  • Suspicious JavaScript payloads in application logs

Network Indicators:

  • Unexpected outbound connections from LibreNMS server when users access Alert Rules

SIEM Query:

source="librenms" AND (alert_rules OR "XSS" OR "script")

📊 Metadata

CVE ID: CVE-2026-26989
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-79
Published: February 20, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26989, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)