CVE-2026-26988: LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.

February 18, 2026

SQL Injection in IPv6 Address Search functionality via address parameter*

A SQL injection vulnerability exists in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.

References

github.com/advisories/GHSA-h3rv-q4rq-pqcv
github.com/librenms/librenms
github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1
github.com/librenms/librenms/pull/18777
github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv
nvd.nist.gov/vuln/detail/CVE-2026-26988

Code Behaviors & Features

Detect and mitigate CVE-2026-26988 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →