CVE-2026-26989: LibreNMS has a Stored XSS in Alert Rule
(updated )
A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.12.0) in the creation of Alert Rules. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the alert rules page is viewed.
References
- github.com/advisories/GHSA-6xmx-xr9p-58p7
- github.com/librenms/librenms
- github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58
- github.com/librenms/librenms/pull/19039
- github.com/librenms/librenms/releases/tag/26.2.0
- github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7
- nvd.nist.gov/vuln/detail/CVE-2026-26989
Code Behaviors & Features
Detect and mitigate CVE-2026-26989 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →