CVE-2026-26991 – This stored XSS vulnerability in LibreNMS allow... (How to Fix)

Q: What is the severity of CVE-2026-26991?

CVE-2026-26991 has a CVSS score of 4.8 (MEDIUM). This stored XSS vulnerability in LibreNMS allows attackers with admin privileges to inject malicious scripts into device group names, which execute when other users view those groups. It affects LibreNMS versions 26.1.1 and below. The vulnerability requires admin-level access but can impact all users who view the compromised device groups.

📋 TL;DR

This stored XSS vulnerability in LibreNMS allows attackers with admin privileges to inject malicious scripts into device group names, which execute when other users view those groups. It affects LibreNMS versions 26.1.1 and below. The vulnerability requires admin-level access but can impact all users who view the compromised device groups.

💻 Affected Systems

Products:

LibreNMS

Versions: 26.1.1 and below

Operating Systems: All platforms running LibreNMS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where admin privileges have been granted to potentially malicious users.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin attacker could steal session cookies, redirect users to malicious sites, perform actions as authenticated users, or deploy malware to administrators' browsers.

🟠

Likely Case

Attackers with compromised admin accounts could steal credentials from other users, modify monitoring data, or disrupt network monitoring operations.

🟢

If Mitigated

With proper input validation and output encoding, the script payloads would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH if LibreNMS is exposed to the internet, as any compromised admin account could lead to widespread user compromise.

🏢 Internal Only: MEDIUM as it still allows lateral movement and privilege escalation within the network if an admin account is compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges but is trivial once those credentials are obtained. The vulnerability is in a core feature with clear attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 26.2.0

Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update to version 26.2.0 or later using your preferred update method (git pull, package manager, or manual download). 3. Run ./daily.sh to update the database schema if needed. 4. Verify the fix by checking that device group names are properly sanitized.

🔧 Temporary Workarounds

Input Validation via Web Application Firewall

all

Configure WAF rules to block XSS payloads in POST requests to /device-groups endpoint

Restrict Admin Privileges

all

Review and minimize admin accounts, implement strong authentication for admin users

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Monitor and audit all device group creation/modification activities for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check if your LibreNMS version is 26.1.1 or earlier. Attempt to create a device group with a name containing <script>alert('test')</script> - if the script executes when viewing, you're vulnerable.

Check Version:

cd /opt/librenms && php includes/functions.php version

Verify Fix Applied:

After updating to 26.2.0+, attempt the same XSS test - the script should appear as plain text rather than executing.

📡 Detection & Monitoring

Log Indicators:

POST requests to /device-groups containing script tags or JavaScript in name parameter
Unusual device group creation patterns from admin accounts

Network Indicators:

HTTP traffic to /device-groups with suspicious payloads in POST data

SIEM Query:

source="librenms.log" AND "POST /device-groups" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2026-26991

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c Patch
https://github.com/librenms/librenms/pull/19041 Issue Tracking
https://github.com/librenms/librenms/releases/tag/26.2.0 Product,Release Notes
https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26991, you might also want to check these: