CVE-2026-2728: LibreNMS affected by an authenticated Cross-site Scripting vulnerability on the showconfig page

April 13, 2026 (updated April 27, 2026)

LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.

References

github.com/advisories/GHSA-rp7w-624x-95qv
github.com/librenms/librenms
nvd.nist.gov/vuln/detail/CVE-2026-2728
projectblack.io/blog/librenms-authenticated-rce-and-xss/

Code Behaviors & Features

Detect and mitigate CVE-2026-2728 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →