LibreNMS Email Field XSS Attack Can Steal Your Session

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

LibreNMS Email Field XSS Attack Can Steal Your Session

CVE-2026-26987 GHSA-gqx7-99jw-6fpr

Summary

A security flaw in LibreNMS allows an attacker to trick you into revealing your login credentials. This can happen when you visit a malicious website or open a phishing email that includes a link to the LibreNMS email settings page. To stay safe, update LibreNMS to the latest version and be cautious when entering email addresses online.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
librenms	librenms	<= 26.2.0	–

Original title

LibreNMS affected by reflected xss via email field

Original description

### Summary
reflected xss via email field

### Details
1. visit `http://127.0.0.1/settings/alerting/email`
2. in the email address input but this payload
`<img src=1 onerror=alert(document.cookie)>`
3. notice the alert
### PoC
- video attached with the report
https://github.com/user-attachments/assets/c1b443f5-85c6-4545-b04f-def06d82b42e

### Impact
can lead to ATO

nvd CVSS3.1 6.1

nvd CVSS4.0 5.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://nvd.nist.gov/vuln/detail/CVE-2026-26987
https://github.com/advisories/GHSA-gqx7-99jw-6fpr
https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71... Patch
https://github.com/librenms/librenms/pull/19038 Issue Tracking
https://github.com/librenms/librenms/releases/tag/26.2.0 Product Release Notes
https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr Exploit Third Party Advisory

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026