Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/34555?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/34555?format=api", "purl": "pkg:composer/librenms/librenms@25.8.0", "type": "composer", "namespace": "librenms", "name": "librenms", "version": "25.8.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "26.3.0", "latest_non_vulnerable_version": "201609", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/102736?format=api", "vulnerability_id": "VCID-18g9-2u9c-nbez", "summary": "LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. This vulnerability is fixed in 25.10.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62411", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00723", "published_at": "2026-06-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00727", "published_at": "2026-06-14T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00721", "published_at": "2026-06-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00722", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62411" }, { "reference_url": "https://github.com/librenms/librenms/commit/e1ead366239b57e88f9a06d4f7c213b1e2530cd8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/commit/e1ead366239b57e88f9a06d4f7c213b1e2530cd8" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/25.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/releases/tag/25.10.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450", "reference_id": "706a77085f4d5964f7de9444208ef707e1f79450", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T18:27:02Z/" } ], "url": "https://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62411", "reference_id": "CVE-2025-62411", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62411" }, { "reference_url": "https://github.com/advisories/GHSA-frc6-pwgr-c28w", "reference_id": "GHSA-frc6-pwgr-c28w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-frc6-pwgr-c28w" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w", "reference_id": "GHSA-frc6-pwgr-c28w", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T18:27:02Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34532?format=api", "purl": "pkg:composer/librenms/librenms@25.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-ae82-tsr6-c3cw" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-rfwn-r567-qben" }, { "vulnerability": "VCID-uwnc-rpz9-7be2" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.10.0" } ], "aliases": [ "CVE-2025-62411", "GHSA-frc6-pwgr-c28w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-18g9-2u9c-nbez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75305?format=api", "vulnerability_id": "VCID-2gun-mcx6-akcy", "summary": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00779", "published_at": "2026-06-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00782", "published_at": "2026-06-14T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00777", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6204" }, { "reference_url": "https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204" }, { "reference_url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc", "reference_id": "#binary-path-rce-poc", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T12:42:55Z/" } ], "url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc" }, { "reference_url": "https://github.com/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pr3g-phhr-h8fh" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T12:42:55Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40935?format=api", "purl": "pkg:composer/librenms/librenms@26.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.3.0" } ], "aliases": [ "CVE-2026-6204", "GHSA-pr3g-phhr-h8fh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2gun-mcx6-akcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79887?format=api", "vulnerability_id": "VCID-adhj-ruja-n7gb", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27016", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27016" }, { "reference_url": "https://github.com/librenms/librenms/pull/19040", "reference_id": "19040", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/pull/19040" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335", "reference_id": "3bea263e02441690c01dea7fa3fe6ffec94af335", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27016", "reference_id": "CVE-2026-27016", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27016" }, { "reference_url": "https://github.com/advisories/GHSA-fqx6-693c-f55g", "reference_id": "GHSA-fqx6-693c-f55g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqx6-693c-f55g" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g", "reference_id": "GHSA-fqx6-693c-f55g", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-27016", "GHSA-fqx6-693c-f55g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-adhj-ruja-n7gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91045?format=api", "vulnerability_id": "VCID-ae82-tsr6-c3cw", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. This issue has been patched in version 25.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65013", "reference_id": "", "reference_type": "", "scores": [ { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00031", "published_at": "2026-06-13T12:55:00Z" }, { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00047", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65013" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65013", "reference_id": "CVE-2025-65013", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65013" }, { "reference_url": "https://github.com/advisories/GHSA-j8cq-7f6p-256x", "reference_id": "GHSA-j8cq-7f6p-256x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j8cq-7f6p-256x" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x", "reference_id": "GHSA-j8cq-7f6p-256x", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-19T14:46:48Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35293?format=api", "purl": "pkg:composer/librenms/librenms@25.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.11.0" } ], "aliases": [ "CVE-2025-65013", "GHSA-j8cq-7f6p-256x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ae82-tsr6-c3cw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70900?format=api", "vulnerability_id": "VCID-cc1u-4ca7-v7he", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26991", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26991" }, { "reference_url": "https://github.com/librenms/librenms/pull/19041", "reference_id": "19041", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/pull/19041" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c", "reference_id": "64b31da444369213eb4559ec1c304ebfaa0ba12c", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991", "reference_id": "CVE-2026-26991", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991" }, { "reference_url": "https://github.com/advisories/GHSA-5pqf-54qp-32wx", "reference_id": "GHSA-5pqf-54qp-32wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pqf-54qp-32wx" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx", "reference_id": "GHSA-5pqf-54qp-32wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26991", "GHSA-5pqf-54qp-32wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cc1u-4ca7-v7he" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70911?format=api", "vulnerability_id": "VCID-cmqg-e3da-r7cf", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26987", "reference_id": "", "reference_type": "", "scores": [ { "value": "1e-05", "scoring_system": "epss", "scoring_elements": "6e-05", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26987" }, { "reference_url": "https://github.com/librenms/librenms/pull/19038", "reference_id": "19038", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/pull/19038" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b", "reference_id": "8e626b38ef92e240532cdac2ac7e38706a71208b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26987", "reference_id": "CVE-2026-26987", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26987" }, { "reference_url": "https://github.com/advisories/GHSA-gqx7-99jw-6fpr", "reference_id": "GHSA-gqx7-99jw-6fpr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqx7-99jw-6fpr" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr", "reference_id": "GHSA-gqx7-99jw-6fpr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26987", "GHSA-gqx7-99jw-6fpr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cmqg-e3da-r7cf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93084?format=api", "vulnerability_id": "VCID-g8zs-nkxb-hyc4", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68614", "reference_id": "", "reference_type": "", "scores": [ { "value": "1e-05", "scoring_system": "epss", "scoring_elements": "0.00012", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68614" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68614", "reference_id": "CVE-2025-68614", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68614" }, { "reference_url": "https://github.com/librenms/librenms/commit/ebe6c79bf4ce0afeb575c1285afe3934e44001f1", "reference_id": "ebe6c79bf4ce0afeb575c1285afe3934e44001f1", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-22T23:55:04Z/" } ], "url": "https://github.com/librenms/librenms/commit/ebe6c79bf4ce0afeb575c1285afe3934e44001f1" }, { "reference_url": "https://github.com/advisories/GHSA-c89f-8g7g-59wj", "reference_id": "GHSA-c89f-8g7g-59wj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c89f-8g7g-59wj" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj", "reference_id": "GHSA-c89f-8g7g-59wj", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-22T23:55:04Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36351?format=api", "purl": "pkg:composer/librenms/librenms@25.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-wjhn-5pcd-77cv" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.12.0" } ], "aliases": [ "CVE-2025-68614", "GHSA-c89f-8g7g-59wj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g8zs-nkxb-hyc4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70766?format=api", "vulnerability_id": "VCID-js2a-whr7-dufs", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26989", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00135", "published_at": "2026-06-14T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00137", "published_at": "2026-06-11T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00136", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26989" }, { "reference_url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58", "reference_id": "087608cf9f851189847cb8e8e5ad002e59170c58", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58" }, { "reference_url": "https://github.com/librenms/librenms/pull/19039", "reference_id": "19039", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/pull/19039" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989", "reference_id": "CVE-2026-26989", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989" }, { "reference_url": "https://github.com/advisories/GHSA-6xmx-xr9p-58p7", "reference_id": "GHSA-6xmx-xr9p-58p7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xmx-xr9p-58p7" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7", "reference_id": "GHSA-6xmx-xr9p-58p7", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26989", "GHSA-6xmx-xr9p-58p7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-js2a-whr7-dufs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70883?format=api", "vulnerability_id": "VCID-k5z7-q82d-tue6", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26988", "reference_id": "", "reference_type": "", "scores": [ { "value": "1e-05", "scoring_system": "epss", "scoring_elements": "4e-05", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26988" }, { "reference_url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_id": "15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1" }, { "reference_url": "https://github.com/librenms/librenms/pull/18777", "reference_id": "18777", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/pull/18777" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26988", "reference_id": "CVE-2026-26988", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26988" }, { "reference_url": "https://github.com/advisories/GHSA-h3rv-q4rq-pqcv", "reference_id": "GHSA-h3rv-q4rq-pqcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h3rv-q4rq-pqcv" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv", "reference_id": "GHSA-h3rv-q4rq-pqcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26988", "GHSA-h3rv-q4rq-pqcv" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k5z7-q82d-tue6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359973?format=api", "vulnerability_id": "VCID-mb8k-971z-myd1", "summary": "Duplicate Advisory: LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-pr3g-phhr-h8fh. This link is maintained to preserve external references.\n\n## Original Description\nLibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204" }, { "reference_url": "https://github.com/advisories/GHSA-7549-ggpq-22w8", "reference_id": "GHSA-7549-ggpq-22w8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7549-ggpq-22w8" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40935?format=api", "purl": "pkg:composer/librenms/librenms@26.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.3.0" } ], "aliases": [ "GHSA-7549-ggpq-22w8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mb8k-971z-myd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91291?format=api", "vulnerability_id": "VCID-rfwn-r567-qben", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65093", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00169", "published_at": "2026-06-14T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00143", "published_at": "2026-06-13T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00144", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65093" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65093", "reference_id": "CVE-2025-65093", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65093" }, { "reference_url": "https://github.com/advisories/GHSA-6pmj-xjxp-p8g9", "reference_id": "GHSA-6pmj-xjxp-p8g9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6pmj-xjxp-p8g9" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9", "reference_id": "GHSA-6pmj-xjxp-p8g9", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-19T14:58:37Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35293?format=api", "purl": "pkg:composer/librenms/librenms@25.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.11.0" } ], "aliases": [ "CVE-2025-65093", "GHSA-6pmj-xjxp-p8g9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfwn-r567-qben" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/102665?format=api", "vulnerability_id": "VCID-st22-w6hp-tka9", "summary": "LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts > Alert Rules page is not properly sanitized, and can be used to inject HTML code. This vulnerability is fixed in 25.10.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62412", "reference_id": "", "reference_type": "", "scores": [ { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00027", "published_at": "2026-06-14T12:55:00Z" }, { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00028", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62412" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/25.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/releases/tag/25.10.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62412", "reference_id": "CVE-2025-62412", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62412" }, { "reference_url": "https://github.com/librenms/librenms/commit/dccdf6769976a974d70f06a7ce8d5a846b29db6f", "reference_id": "dccdf6769976a974d70f06a7ce8d5a846b29db6f", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T18:25:48Z/" } ], "url": "https://github.com/librenms/librenms/commit/dccdf6769976a974d70f06a7ce8d5a846b29db6f" }, { "reference_url": "https://github.com/advisories/GHSA-6g2v-66ch-6xmh", "reference_id": "GHSA-6g2v-66ch-6xmh", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6g2v-66ch-6xmh" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-6g2v-66ch-6xmh", "reference_id": "GHSA-6g2v-66ch-6xmh", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T18:25:48Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-6g2v-66ch-6xmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34532?format=api", "purl": "pkg:composer/librenms/librenms@25.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-ae82-tsr6-c3cw" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-rfwn-r567-qben" }, { "vulnerability": "VCID-uwnc-rpz9-7be2" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.10.0" } ], "aliases": [ "CVE-2025-62412", "GHSA-6g2v-66ch-6xmh" ], "risk_score": 1.7, "exploitability": "0.5", "weighted_severity": "3.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-st22-w6hp-tka9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91175?format=api", "vulnerability_id": "VCID-uwnc-rpz9-7be2", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65014", "reference_id": "", "reference_type": "", "scores": [ { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00024", "published_at": "2026-06-13T12:55:00Z" }, { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.00026", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65014" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65014", "reference_id": "CVE-2025-65014", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65014" }, { "reference_url": "https://github.com/advisories/GHSA-5mrf-j8v6-f45g", "reference_id": "GHSA-5mrf-j8v6-f45g", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5mrf-j8v6-f45g" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g", "reference_id": "GHSA-5mrf-j8v6-f45g", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-19T14:53:12Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35293?format=api", "purl": "pkg:composer/librenms/librenms@25.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.11.0" } ], "aliases": [ "CVE-2025-65014", "GHSA-5mrf-j8v6-f45g" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwnc-rpz9-7be2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70863?format=api", "vulnerability_id": "VCID-x6na-j6w4-n7aj", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI \"/port-groups\". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26992", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26992" }, { "reference_url": "https://github.com/librenms/librenms/pull/19042", "reference_id": "19042", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/pull/19042" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f", "reference_id": "882fe6f90ea504a3732f83caf89bba7850a5699f", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26992", "reference_id": "CVE-2026-26992", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26992" }, { "reference_url": "https://github.com/advisories/GHSA-93fx-g747-695x", "reference_id": "GHSA-93fx-g747-695x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93fx-g747-695x" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x", "reference_id": "GHSA-93fx-g747-695x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26992", "GHSA-93fx-g747-695x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x6na-j6w4-n7aj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70869?format=api", "vulnerability_id": "VCID-x8rp-7y5r-v3eg", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26990", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00131", "published_at": "2026-06-11T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.0013", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26990" }, { "reference_url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_id": "15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1" }, { "reference_url": "https://github.com/librenms/librenms/pull/18777", "reference_id": "18777", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/pull/18777" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26990", "reference_id": "CVE-2026-26990", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26990" }, { "reference_url": "https://github.com/advisories/GHSA-79q9-wc6p-cf92", "reference_id": "GHSA-79q9-wc6p-cf92", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79q9-wc6p-cf92" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92", "reference_id": "GHSA-79q9-wc6p-cf92", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26990", "GHSA-79q9-wc6p-cf92" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x8rp-7y5r-v3eg" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121735?format=api", "vulnerability_id": "VCID-cntm-etf9-kkbv", "summary": "librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55296", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04557", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.0454", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.0455", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.1133", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55296" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55296", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55296" }, { "reference_url": "https://github.com/librenms/librenms/commit/8ade3d827d317f5ac4b336617aafff865f825958", "reference_id": "8ade3d827d317f5ac4b336617aafff865f825958", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-18T17:37:45Z/" } ], "url": "https://github.com/librenms/librenms/commit/8ade3d827d317f5ac4b336617aafff865f825958" }, { "reference_url": "https://github.com/advisories/GHSA-vxq6-8cwm-wj99", "reference_id": "GHSA-vxq6-8cwm-wj99", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vxq6-8cwm-wj99" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-vxq6-8cwm-wj99", "reference_id": "GHSA-vxq6-8cwm-wj99", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-18T17:37:45Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-vxq6-8cwm-wj99" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34555?format=api", "purl": "pkg:composer/librenms/librenms@25.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18g9-2u9c-nbez" }, { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-adhj-ruja-n7gb" }, { "vulnerability": "VCID-ae82-tsr6-c3cw" }, { "vulnerability": "VCID-cc1u-4ca7-v7he" }, { "vulnerability": "VCID-cmqg-e3da-r7cf" }, { "vulnerability": "VCID-g8zs-nkxb-hyc4" }, { "vulnerability": "VCID-js2a-whr7-dufs" }, { "vulnerability": "VCID-k5z7-q82d-tue6" }, { "vulnerability": "VCID-mb8k-971z-myd1" }, { "vulnerability": "VCID-rfwn-r567-qben" }, { "vulnerability": "VCID-st22-w6hp-tka9" }, { "vulnerability": "VCID-uwnc-rpz9-7be2" }, { "vulnerability": "VCID-x6na-j6w4-n7aj" }, { "vulnerability": "VCID-x8rp-7y5r-v3eg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/520342?format=api", "purl": "pkg:composer/librenms/librenms@201609", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@201609" } ], "aliases": [ "CVE-2025-55296", "GHSA-vxq6-8cwm-wj99" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cntm-etf9-kkbv" } ], "risk_score": "4.2", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@25.8.0" }