Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.4

LibreNMS Stored Cross-Site Scripting in Custom OID Unit Field

CVE-2026-27016 GHSA-fqx6-693c-f55g
Summary

LibreNMS's Custom OID feature is vulnerable to a type of cyber attack called Stored Cross-Site Scripting. This means that a malicious script can be injected into the system, potentially allowing an attacker to steal user data or take control of the system. Users should update to the latest version of LibreNMS to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
librenms librenms > 24.10.0 , <= 26.2.0 –
Original title
LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()
Original description
### Summary
The `unit` parameter in Custom OID functionality lacks `strip_tags()` sanitization while other fields (`name`, `oid`, `datatype`) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS.

### Details
**Vulnerable Input Processing (`includes/html/forms/customoid.inc.php` lines 18-21):**
```php
$name = strip_tags((string) $_POST['name']); // line 18 - SANITIZED
$oid = strip_tags((string) $_POST['oid']); // line 19 - SANITIZED
$datatype = strip_tags((string) $_POST['datatype']); // line 20 - SANITIZED
$unit = $_POST['unit']; // line 21 - NOT SANITIZED!
```

**Vulnerable Output (`graphs/customoid.inc.php` lines 13-20):**
```php
$customoid_unit = $customoid['customoid_unit']; // Retrieved from DB
$customoid_current = \LibreNMS\Util\Number::formatSi(...) . $customoid_unit;
echo "...$customoid_current..."; // ECHOED WITHOUT ESCAPING!
```

### PoC

```python
#!/usr/bin/env python3
"""
XSS test for LibreNMS Custom OID - unit parameter
"""

import html as html_module
import re

def strip_tags(value):
return re.sub(r'<[^>]*?>', '', str(value))

# Simulate form processing (customoid.inc.php lines 18-21)
test_inputs = {
'name': '<script>alert(1)</script>Test OID',
'oid': '1.3.6.1.4.1.2021.10.1.3.1',
'datatype': 'GAUGE',
'unit': '<script>alert("XSS")</script>',
}

name = strip_tags(test_inputs['name']) # Sanitized
oid = strip_tags(test_inputs['oid']) # Sanitized
datatype = strip_tags(test_inputs['datatype']) # Sanitized
unit = test_inputs['unit'] # NOT SANITIZED!

print("Input Processing Analysis:")
print(f" name (strip_tags): {name}")
print(f" oid (strip_tags): {oid}")
print(f" datatype (strip_tags): {datatype}")
print(f" unit (NO strip_tags): {unit}")
print()
print("*** VULNERABILITY: 'unit' parameter has NO strip_tags()! ***")

# Test XSS payloads
payloads = [
'<script>alert("XSS")</script>',
'<img src=x onerror=alert(1)>',
'<svg onload=alert(1)>',
]

print("\nXSS Payload Tests:")
for payload in payloads:
escaped = html_module.escape(payload)
has_xss = '<script>' in payload or 'onerror=' in payload.lower()
print(f" Payload: {payload}")
print(f" Raw (vulnerable): Contains executable code: {has_xss}")
print(f" Escaped (safe): {escaped}")
```

### Expected Output

```
Input Processing Analysis:
name (strip_tags): alert(1)Test OID
oid (strip_tags): 1.3.6.1.4.1.2021.10.1.3.1
datatype (strip_tags): GAUGE
unit (NO strip_tags): <script>alert("XSS")</script>

*** VULNERABILITY: 'unit' parameter has NO strip_tags()! ***
```
### Impact
- **Attack Vector:** User with device edit permissions sets malicious Unit value
- **Exploitation:** XSS payload stored in database, executes for all users viewing device graphs
- **Consequences:**
- Session hijacking via cookie theft
- Admin account takeover
- Malicious actions on behalf of victims
- Persistent attack affecting all users
- **Affected Users:** All LibreNMS installations with Custom OID feature
nvd CVSS3.1 5.4
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
CWE-116
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026