CVE-2026-27016 Overview
LibreNMS, an auto-discovering PHP/MySQL/SNMP-based network monitoring tool, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions 24.10.0 through 26.1.1. The vulnerability exists in the Custom OID functionality where the unit parameter lacks proper sanitization using strip_tags(), unlike other fields such as name, oid, and datatype which are properly sanitized. The unsanitized value is stored directly in the database and subsequently rendered without HTML escaping, allowing attackers with authenticated access to inject malicious scripts that execute in the context of other users viewing the affected pages.
Critical Impact
Authenticated attackers can inject persistent malicious scripts through the Custom OID unit parameter, potentially compromising admin sessions, stealing credentials, or performing unauthorized actions within the LibreNMS network monitoring infrastructure.
Affected Products
- LibreNMS versions 24.10.0 through 26.1.1
- LibreNMS Custom OID functionality (customoid.inc.php)
- All deployments using Custom OID features without proper input sanitization
Discovery Timeline
- 2026-02-20 - CVE-2026-27016 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27016
Vulnerability Analysis
This Stored XSS vulnerability stems from inconsistent input sanitization in the LibreNMS Custom OID form handler. The vulnerability allows authenticated users to inject arbitrary JavaScript code through the unit parameter when creating or modifying Custom OID entries. Because the malicious payload is stored in the database, it persists and executes every time the affected Custom OID data is rendered in the web interface.
The attack requires authenticated access to LibreNMS with permissions to create or modify Custom OID entries. When a victim user views pages displaying the compromised Custom OID data, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized administrative actions.
Root Cause
The root cause is a missing strip_tags() function call on the unit parameter in the includes/html/forms/customoid.inc.php file. While other user-controlled parameters (name, oid, datatype) are properly sanitized using strip_tags() to remove HTML tags, the unit parameter is directly assigned from $_POST['unit'] without any sanitization. This inconsistency creates an injection point where HTML and JavaScript content can be inserted into the database and subsequently rendered without proper encoding.
Attack Vector
The attack vector involves an authenticated user with Custom OID creation/modification privileges submitting a malicious payload through the unit parameter. The payload bypasses the missing sanitization and is stored in the database. When any user accesses a page that displays the Custom OID unit value, the stored script executes in their browser, leveraging the trust relationship between the user's browser and the LibreNMS application.
// Vulnerable code - unit parameter lacks strip_tags() sanitization
// Source: includes/html/forms/customoid.inc.php
$name = strip_tags((string) $_POST['name']);
$oid = strip_tags((string) $_POST['oid']);
$datatype = strip_tags((string) $_POST['datatype']);
-$unit = $_POST['unit'];
+$unit = strip_tags((string) $_POST['unit']);
$limit = $_POST['limit'];
$limit_warn = $_POST['limit_warn'];
$limit_low = $_POST['limit_low'];
Source: GitHub Commit 3bea263
Detection Methods for CVE-2026-27016
Indicators of Compromise
- Custom OID entries containing HTML tags or JavaScript code in the unit field
- Database entries in the Custom OID table with <script>, <img>, or other HTML elements in unit values
- Unusual JavaScript execution or browser behavior when viewing Custom OID pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor application logs for unusual Custom OID creation or modification activities
- Perform regular database audits to identify unit field values containing HTML or script tags
- Deploy Web Application Firewall (WAF) rules to detect XSS payload patterns in POST requests
Monitoring Recommendations
- Enable detailed logging for Custom OID form submissions and database modifications
- Monitor user sessions for signs of hijacking or unexpected privilege usage
- Set up alerts for JavaScript errors or CSP violations in client browsers
- Audit Custom OID entries periodically for malicious content patterns
How to Mitigate CVE-2026-27016
Immediate Actions Required
- Upgrade LibreNMS to version 26.2.0 or later immediately
- Review existing Custom OID entries in the database for potential malicious content in the unit field
- Restrict Custom OID creation/modification permissions to trusted administrators only
- Implement Content Security Policy headers to mitigate script execution risks
Patch Information
LibreNMS has addressed this vulnerability in version 26.2.0. The fix applies strip_tags() sanitization to the unit parameter, consistent with the sanitization already applied to other fields. The patch is available in GitHub Pull Request #19040 and the fix commit is documented in the GitHub Commit 3bea263. For detailed information, refer to the GitHub Security Advisory GHSA-fqx6-693c-f55g.
Workarounds
- Restrict access to Custom OID functionality to trusted administrators only
- Implement Web Application Firewall (WAF) rules to filter XSS payloads in POST requests to Custom OID endpoints
- Add Content Security Policy headers to prevent inline script execution
- Manually sanitize existing database entries by removing HTML tags from Custom OID unit fields
# Configuration example - Add CSP headers to Apache configuration
# Add to your LibreNMS Apache virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
# Database cleanup - Find potentially malicious unit entries
mysql -u librenms -p -e "SELECT id, name, unit FROM librenms.customoids WHERE unit REGEXP '<[^>]+>';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
