CVE-2026-26987
EPSS 0.00%LibreNMS affected by reflected xss via email field
Published: 2/18/2026Modified: 2/20/2026
Also known as:GHSA-gqx7-99jw-6fpr
Description
### Summary reflected xss via email field ### Details 1. visit `http://127.0.0.1/settings/alerting/email` 2. in the email address input but this payload `<img src=1 onerror=alert(document.cookie)>` 3. notice the alert ### PoC - video attached with the report https://github.com/user-attachments/assets/c1b443f5-85c6-4545-b04f-def06d82b42e ### Impact can lead to ATO
Affected packages (1)
- Packagist/librenms/librenmsfrom 0, < 26.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26987
- PATCHhttps://github.com/librenms/librenms
- WEBhttps://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
- WEBhttps://github.com/librenms/librenms/pull/19038
- WEBhttps://github.com/librenms/librenms/releases/tag/26.2.0
- WEBhttps://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr