CVE-2026-26989 Overview
CVE-2026-26989 is a Stored Cross-Site Scripting (XSS) vulnerability affecting LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to malicious script injection in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page.
Critical Impact
Stored XSS in the Alert Rules page allows privileged attackers to execute arbitrary JavaScript in the browsers of other users, potentially leading to session hijacking, credential theft, or further compromise of the monitoring infrastructure.
Affected Products
- LibreNMS versions 25.12.0 and below
- LibreNMS Alert Rules workflow component
- LibreNMS includes/html/modal/alert_rule_list.inc.php
Discovery Timeline
- 2026-02-20 - CVE-2026-26989 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26989
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the Alert Rules modal component of LibreNMS. The application fails to properly sanitize user-supplied input when rendering alert rule data in the administrative interface. Specifically, the $rule_display variable was being output without adequate HTML entity encoding or tag stripping, allowing embedded script content to be stored and later executed when other users view the Alert Rules page.
The vulnerability requires administrative privileges to exploit, which limits the attack surface. However, in multi-admin environments or scenarios where an attacker has compromised an admin account, this flaw enables persistent attacks against other administrators or users with access to the Alert Rules interface.
Root Cause
The root cause is insufficient input sanitization in the alert_rule_list.inc.php file. While the e() function was being used for escaping, the $rule_display variable was not being processed through strip_tags() before output, allowing HTML and script tags to persist in the rendered output. This violates secure coding practices for handling user-controlled data in web applications.
Attack Vector
The attack is network-based and requires authenticated administrative access to LibreNMS. An attacker would craft a malicious alert rule containing JavaScript payload within a field that gets displayed on the Alert Rules page. When another user navigates to view the alert rules, the stored script executes in their browser context with their session privileges.
// Vulnerable code in includes/html/modal/alert_rule_list.inc.php
// The $rule_display variable was not being sanitized with strip_tags()
echo "
<tr>
<td>" . e(strip_tags((string)$rule['name'])) . "</td>
<td><i>" . e($rule_display) . "</i></td>
<td>{$rule['severity']}</td>
<td>{$rule['id']}</td>
</tr>
// Fixed code - now applies strip_tags() to $rule_display
echo "
<tr>
<td>" . e(strip_tags((string) $rule['name'])) . "</td>
<td><i>" . e(strip_tags((string) $rule_display)) . "</i></td>
<td>{$rule['severity']}</td>
<td>{$rule['id']}</td>
</tr>
Source: GitHub Commit Update
Detection Methods for CVE-2026-26989
Indicators of Compromise
- Unusual or suspicious JavaScript code found in alert rule names or display fields in the LibreNMS database
- Alert rules containing encoded script tags such as <script>, onerror=, onload=, or other event handlers
- Unexpected outbound connections from user browsers when accessing the Alert Rules page
Detection Strategies
- Review web server access logs for POST requests to alert rule endpoints with suspicious payloads
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor LibreNMS audit logs for alert rule creation or modification by compromised or suspicious accounts
Monitoring Recommendations
- Enable browser developer console monitoring for JavaScript errors or unexpected script execution when accessing LibreNMS
- Deploy Web Application Firewall (WAF) rules to detect XSS payloads in HTTP request parameters
- Conduct periodic database audits of alert rule content for embedded HTML or JavaScript
How to Mitigate CVE-2026-26989
Immediate Actions Required
- Upgrade LibreNMS to version 26.2.0 or later immediately
- Review existing alert rules for any malicious content and sanitize or remove suspicious entries
- Audit administrative user accounts for any unauthorized access or suspicious activity
- Invalidate active sessions for all users after applying the patch
Patch Information
The vulnerability has been fixed in LibreNMS version 26.2.0. The fix applies strip_tags() to the $rule_display variable before output, preventing HTML and script injection. The patch is available via commit 087608cf9f851189847cb8e8e5ad002e59170c58. For detailed information, refer to the GitHub Security Advisory GHSA-6xmx-xr9p-58p7 and the GitHub Release 26.2.0.
Workarounds
- Restrict administrative access to trusted personnel only until the patch can be applied
- Implement strict Content Security Policy headers to mitigate JavaScript execution from stored payloads
- Manually review and sanitize all existing alert rule entries in the database for malicious content
# Update LibreNMS to the patched version
cd /opt/librenms
git fetch --all
git checkout 26.2.0
./scripts/composer_wrapper.php install --no-dev
./lnms migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
