CVE-2026-26992
LibreNMS has Stored Cross-Site Scripting via unsanitized /port-groups name
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.
| CWE | CWE-79 |
| Vendor | librenms |
| Product | librenms |
| Published | Feb 20, 2026 |
| Last Updated | Feb 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for librenms librenms
Be the first to know when new unknown vulnerabilities affecting librenms librenms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
librenms / librenms
< 26.2.0
References
github.com: https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x github.com: https://github.com/librenms/librenms/pull/19042 github.com: https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f github.com: https://github.com/librenms/librenms/releases/tag/26.2.0