CVE-2026-26992: LibreNMS /port-groups name Stored Cross-Site Scripting
(updated )
/port-groups name Stored Cross-Site Scripting
- HTTP POST
- Request-URI(s): “/port-groups”
- Vulnerable parameter(s): “name”
- Attacker must be authenticated with “admin” privileges.
- When a user adds a port group, an HTTP POST request is sent to the Request-URI “/port-groups”. The name of the newly created port group is stored in the value of the name parameter.
- After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.
References
- github.com/advisories/GHSA-93fx-g747-695x
- github.com/librenms/librenms
- github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f
- github.com/librenms/librenms/pull/19042
- github.com/librenms/librenms/releases/tag/26.2.0
- github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x
- nvd.nist.gov/vuln/detail/CVE-2026-26992
Code Behaviors & Features
Detect and mitigate CVE-2026-26992 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →