CVE-2026-2728
LOW3.5EPSS 0.00%LibreNMS: Cross-Site Scripting in ShowConfigController
Description
### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the `rancid_repo_url` configuration value. When a user navigates to a device's configuration page, this unsanitised value is rendered directly within an HTML anchor (<a>) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages. ### Details The vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding `rancid_repo_url` as a clickable link labeled "Git Repository" on the `/device/{id}/showconfig` UI. Because the `rancid_repo_url` input is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of the `href` attribute context or use JavaScript URIs to attach malicious event handlers or scripts. This vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php. ### PoC 1. Login as an admin and navigate to `/settings/external/rancid`. <img width="790" height="155" alt="image" src="https://github.com/user-attachments/assets/348fff1b-dfce-4735-9273-055113695368" /> 2. Add a valid path to `rancid_configs`. This can be any directory ended with `.git`. 3. Put `"></a><img/src/onerror=alert(1)><a x="` into `rancid_repo_url` config. <img width="909" height="276" alt="image" src="https://github.com/user-attachments/assets/b8c5d650-ba05-4326-8a2d-bea8defa7373" /> 4. Navigate to a device page and click `Config` (Or visit `/device/{id}/showconfig` directly). 5. The XSS is triggered when visiting the page. It will pop up an alert dialog. <img width="810" height="454" alt="image" src="https://github.com/user-attachments/assets/4d15784e-ff93-46ec-b13e-08a225a8d6d4" /> #### Other Payloads - `javascript:alert(1)" x="` - triggered by clicking the link. - ``" onmouseover="alert(1)" x="` - triggered by hovering on the link ### Impact Since an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator's session, potentially leading to session hijacking or unauthorized data exposure. ### Remediation Advice Ensure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier. ### CVE Request CVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/
Affected packages (2)
- Packagist/librenms/librenms>= 25.12.0, < 26.3.0
- Packagist/librenms/librenmsfrom 0, < 26.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2728
- PATCHhttps://github.com/librenms/librenms
- WEBhttps://github.com/librenms/librenms/releases/tag/26.3.0
- WEBhttps://github.com/librenms/librenms/security/advisories/GHSA-5gm9-622f-qcg5
- WEBhttps://projectblack.io/blog/librenms-authenticated-rce-and-xss/#xss-on-showconfig-page-2630