CVE-2026-26991 Overview
LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions 26.1.1 and below. The device group name parameter is not properly sanitized, allowing attackers with admin privileges to inject malicious scripts that execute in the context of other users' browsers when they view the device groups page.
Critical Impact
Attackers with admin privileges can inject persistent malicious JavaScript that executes when other users interact with device group management features, potentially leading to session hijacking, credential theft, or further compromise of the monitoring infrastructure.
Affected Products
- LibreNMS versions 26.1.1 and below
- LibreNMS device group management component
- Deployments using the /device-groups Request-URI endpoint
Discovery Timeline
- 2026-02-20 - CVE-2026-26991 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26991
Vulnerability Analysis
This Stored XSS vulnerability exists in the device group management functionality of LibreNMS. When an administrator creates a new device group via an HTTP POST request to the /device-groups endpoint, the name parameter value is stored without adequate sanitization. The unsanitized device group name is subsequently rendered in the web interface alongside action buttons (Rediscover Devices, Edit, and Delete), allowing injected scripts to execute in the browsers of users who view the device groups page.
The vulnerability specifically manifests in the Blade template that renders device group entries. The device group name was being passed directly to JavaScript functions in the onclick handler without proper encoding, creating an injection point for malicious scripts.
Root Cause
The root cause is improper output encoding in the resources/views/device-group/index.blade.php template file. The device group name was directly interpolated into a JavaScript onclick handler within the delete button, bypassing Blade's automatic escaping mechanisms. This allowed specially crafted device group names containing JavaScript payloads to execute when rendered in the DOM.
Attack Vector
The attack requires network access and exploits the web application layer. An attacker with administrative privileges can create a device group with a maliciously crafted name containing JavaScript code. When any user views the device groups page, the malicious script executes in their browser context. While this requires prior authentication and admin privileges, the stored nature of the XSS means the payload persists and can affect multiple users over time.
The security patch addresses this by moving the device group name from inline JavaScript to a data attribute (data-group-name), which properly encodes the value:
href="{{ route('device-groups.edit', $device_group->id) }}">
<i class="fa fa-pencil" aria-hidden="true"></i></a>
<button type="button" class="btn btn-danger btn-sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
- onclick="delete_dg(this, '{{ $device_group->name }}', '{{ route('device-groups.destroy', $device_group->id) }}')">
+ data-group-name="{{ $device_group->name }}"
+ onclick="delete_dg(this, '{{ route('device-groups.destroy', $device_group->id) }}')">
<i
class="fa fa-trash" aria-hidden="true"></i></button>
</td>
Source: GitHub Commit 64b31da
Detection Methods for CVE-2026-26991
Indicators of Compromise
- Device group names containing HTML or JavaScript elements such as <script>, onclick, onerror, or encoded variants
- Unusual HTTP POST requests to /device-groups with suspicious payloads in the name parameter
- Web server logs showing attempts to create device groups with special characters or encoded scripts
Detection Strategies
- Review existing device group names in the database for suspicious content or script tags
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in POST requests to /device-groups
- Monitor for anomalous administrative activity, particularly bulk creation or modification of device groups
Monitoring Recommendations
- Enable detailed logging for the device group management endpoints
- Configure alerts for device group names containing angle brackets, event handlers, or JavaScript protocol handlers
- Audit administrative user sessions for signs of compromise or unauthorized access
How to Mitigate CVE-2026-26991
Immediate Actions Required
- Upgrade LibreNMS to version 26.2.0 or later immediately
- Audit existing device groups for malicious or suspicious names and sanitize or remove them
- Review administrative user accounts for unauthorized access or compromise
- Consider implementing Content Security Policy (CSP) headers to mitigate XSS impact
Patch Information
LibreNMS has released version 26.2.0 which addresses this vulnerability. The fix modifies the resources/views/device-group/index.blade.php template to use a data-group-name attribute instead of directly interpolating the device group name into the onclick handler. This ensures proper HTML encoding of the value. The patch is available via GitHub Commit 64b31da and the GitHub Release 26.2.0.
Workarounds
- Restrict administrative access to trusted users only until the patch can be applied
- Implement input validation at the application or WAF level to reject device group names containing HTML or script elements
- Regularly audit device group entries for suspicious content as a compensating control
# Upgrade LibreNMS to patched version
cd /opt/librenms
git fetch --all
git checkout 26.2.0
./scripts/composer_wrapper.php install --no-dev
./lnms migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
