CVE-2020-36947: LibreNMS contains an authenticated SQL Injection vulnerability

January 27, 2026 (updated February 2, 2026)

LibreNMS 1.46 contains an authenticated SQL Injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the ‘sort’ parameter with crafted SQL Injection techniques to retrieve sensitive database contents through time-based blind SQL Injection.

References

community.librenms.org/
github.com/advisories/GHSA-qp2j-v5jg-hg68
github.com/librenms/librenms
nvd.nist.gov/vuln/detail/CVE-2020-36947
www.exploit-db.com/exploits/49246
www.vulncheck.com/advisories/librenms-mac-accounting-graph-authenticated-sql-injection

Code Behaviors & Features

Detect and mitigate CVE-2020-36947 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →