CVE-2026-26989

medium

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.

References

https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7

https://github.com/librenms/librenms/releases/tag/26.2.0

https://github.com/librenms/librenms/pull/19039

https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58

Details

Source: Mitre, NVD

Published: 2026-02-20

Updated: 2026-02-20

Risk Information

CVSS v2

Base Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.8

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00002