CVE-2026-26989
LibreNMS has Stored XSS in Alert Rule
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.
| CWE | CWE-79 |
| Vendor | librenms |
| Product | librenms |
| Published | Feb 20, 2026 |
| Last Updated | Feb 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for librenms librenms
Be the first to know when new medium vulnerabilities affecting librenms librenms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
librenms / librenms
< 26.2.0
References
github.com: https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7 github.com: https://github.com/librenms/librenms/pull/19039 github.com: https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58 github.com: https://github.com/librenms/librenms/releases/tag/26.2.0