CVE-2026-26987
EPSS 0.00%LibreNMS affected by reflected xss via email field
發布日:2026/2/18修改日:2026/2/20
描述
### Summary reflected xss via email field ### Details 1. visit `http://127.0.0.1/settings/alerting/email` 2. in the email address input but this payload `<img src=1 onerror=alert(document.cookie)>` 3. notice the alert ### PoC - video attached with the report https://github.com/user-attachments/assets/c1b443f5-85c6-4545-b04f-def06d82b42e ### Impact can lead to ATO
受影響套件(1)
- Packagist/librenms/librenmsfrom 0, < 26.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26987
- PATCHhttps://github.com/librenms/librenms
- WEBhttps://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
- WEBhttps://github.com/librenms/librenms/pull/19038
- WEBhttps://github.com/librenms/librenms/releases/tag/26.2.0
- WEBhttps://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr