CVE-2026-27016
Last modified
CVE-2026-27016 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. EPSS estimates a 0.23% chance of exploitation in the next 30 days.
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Librenms | Librenms | >= 24.10.0, < 26.2.0 |
References
- https://github.com/librenms/librenms/pull/19040Issue Tracking
- https://github.com/librenms/librenms/releases/tag/26.2.0Product, Release Notes
- https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55gThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-27016?
How severe is CVE-2026-27016?
How do I fix CVE-2026-27016?
Are you affected by CVE-2026-27016?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST