Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/39372?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "type": "composer", "namespace": "librenms", "name": "librenms", "version": "26.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "26.3.0", "latest_non_vulnerable_version": "201609", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75305?format=api", "vulnerability_id": "VCID-2gun-mcx6-akcy", "summary": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00779", "published_at": "2026-06-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00777", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6204" }, { "reference_url": "https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204" }, { "reference_url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc", "reference_id": "#binary-path-rce-poc", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T12:42:55Z/" } ], "url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc" }, { "reference_url": "https://github.com/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pr3g-phhr-h8fh" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T12:42:55Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40935?format=api", "purl": "pkg:composer/librenms/librenms@26.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.3.0" } ], "aliases": [ "CVE-2026-6204", "GHSA-pr3g-phhr-h8fh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2gun-mcx6-akcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359973?format=api", "vulnerability_id": "VCID-mb8k-971z-myd1", "summary": "Duplicate Advisory: LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-pr3g-phhr-h8fh. This link is maintained to preserve external references.\n\n## Original Description\nLibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6204" }, { "reference_url": "https://github.com/advisories/GHSA-7549-ggpq-22w8", "reference_id": "GHSA-7549-ggpq-22w8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7549-ggpq-22w8" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "reference_id": "GHSA-pr3g-phhr-h8fh", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40935?format=api", "purl": "pkg:composer/librenms/librenms@26.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.3.0" } ], "aliases": [ "GHSA-7549-ggpq-22w8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mb8k-971z-myd1" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79887?format=api", "vulnerability_id": "VCID-adhj-ruja-n7gb", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27016", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-12T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27016" }, { "reference_url": "https://github.com/librenms/librenms/pull/19040", "reference_id": "19040", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/pull/19040" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335", "reference_id": "3bea263e02441690c01dea7fa3fe6ffec94af335", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27016", "reference_id": "CVE-2026-27016", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27016" }, { "reference_url": "https://github.com/advisories/GHSA-fqx6-693c-f55g", "reference_id": "GHSA-fqx6-693c-f55g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqx6-693c-f55g" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g", "reference_id": "GHSA-fqx6-693c-f55g", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:32Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-27016", "GHSA-fqx6-693c-f55g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-adhj-ruja-n7gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70900?format=api", "vulnerability_id": "VCID-cc1u-4ca7-v7he", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter. After the device group is created, the entry is displayed along with relevant buttons such as Rediscover Devices, Edit, and Delete. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26991", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-12T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26991" }, { "reference_url": "https://github.com/librenms/librenms/pull/19041", "reference_id": "19041", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/pull/19041" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c", "reference_id": "64b31da444369213eb4559ec1c304ebfaa0ba12c", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991", "reference_id": "CVE-2026-26991", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991" }, { "reference_url": "https://github.com/advisories/GHSA-5pqf-54qp-32wx", "reference_id": "GHSA-5pqf-54qp-32wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pqf-54qp-32wx" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx", "reference_id": "GHSA-5pqf-54qp-32wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T16:32:06Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26991", "GHSA-5pqf-54qp-32wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cc1u-4ca7-v7he" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70911?format=api", "vulnerability_id": "VCID-cmqg-e3da-r7cf", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26987", "reference_id": "", "reference_type": "", "scores": [ { "value": "1e-05", "scoring_system": "epss", "scoring_elements": "6e-05", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26987" }, { "reference_url": "https://github.com/librenms/librenms/pull/19038", "reference_id": "19038", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/pull/19038" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b", "reference_id": "8e626b38ef92e240532cdac2ac7e38706a71208b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26987", "reference_id": "CVE-2026-26987", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26987" }, { "reference_url": "https://github.com/advisories/GHSA-gqx7-99jw-6fpr", "reference_id": "GHSA-gqx7-99jw-6fpr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqx7-99jw-6fpr" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr", "reference_id": "GHSA-gqx7-99jw-6fpr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26987", "GHSA-gqx7-99jw-6fpr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cmqg-e3da-r7cf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70766?format=api", "vulnerability_id": "VCID-js2a-whr7-dufs", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26989", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00136", "published_at": "2026-06-12T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00137", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26989" }, { "reference_url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58", "reference_id": "087608cf9f851189847cb8e8e5ad002e59170c58", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/commit/087608cf9f851189847cb8e8e5ad002e59170c58" }, { "reference_url": "https://github.com/librenms/librenms/pull/19039", "reference_id": "19039", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/pull/19039" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989", "reference_id": "CVE-2026-26989", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989" }, { "reference_url": "https://github.com/advisories/GHSA-6xmx-xr9p-58p7", "reference_id": "GHSA-6xmx-xr9p-58p7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xmx-xr9p-58p7" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7", "reference_id": "GHSA-6xmx-xr9p-58p7", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:36Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26989", "GHSA-6xmx-xr9p-58p7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-js2a-whr7-dufs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70883?format=api", "vulnerability_id": "VCID-k5z7-q82d-tue6", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26988", "reference_id": "", "reference_type": "", "scores": [ { "value": "1e-05", "scoring_system": "epss", "scoring_elements": "4e-05", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26988" }, { "reference_url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_id": "15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1" }, { "reference_url": "https://github.com/librenms/librenms/pull/18777", "reference_id": "18777", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/pull/18777" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26988", "reference_id": "CVE-2026-26988", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26988" }, { "reference_url": "https://github.com/advisories/GHSA-h3rv-q4rq-pqcv", "reference_id": "GHSA-h3rv-q4rq-pqcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h3rv-q4rq-pqcv" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv", "reference_id": "GHSA-h3rv-q4rq-pqcv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:39Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26988", "GHSA-h3rv-q4rq-pqcv" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k5z7-q82d-tue6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70863?format=api", "vulnerability_id": "VCID-x6na-j6w4-n7aj", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform Stored Cross-Site Scripting (XSS) attacks. When a user adds a port group, an HTTP POST request is sent to the Request-URI \"/port-groups\". The name of the newly created port group is stored in the value of the name parameter. After the port group is created, the entry is displayed along with relevant buttons such as Edit and Delete. This issue has been fixed in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26992", "reference_id": "", "reference_type": "", "scores": [ { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00193", "published_at": "2026-06-12T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00194", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26992" }, { "reference_url": "https://github.com/librenms/librenms/pull/19042", "reference_id": "19042", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/pull/19042" }, { "reference_url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "reference_id": "26.2.0", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0" }, { "reference_url": "https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f", "reference_id": "882fe6f90ea504a3732f83caf89bba7850a5699f", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/commit/882fe6f90ea504a3732f83caf89bba7850a5699f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26992", "reference_id": "CVE-2026-26992", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26992" }, { "reference_url": "https://github.com/advisories/GHSA-93fx-g747-695x", "reference_id": "GHSA-93fx-g747-695x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93fx-g747-695x" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x", "reference_id": "GHSA-93fx-g747-695x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:52:54Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26992", "GHSA-93fx-g747-695x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x6na-j6w4-n7aj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70869?format=api", "vulnerability_id": "VCID-x8rp-7y5r-v3eg", "summary": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26990", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00131", "published_at": "2026-06-11T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.0013", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26990" }, { "reference_url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_id": "15429580baba03ed1dd377bada1bde4b7a1175a1", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1" }, { "reference_url": "https://github.com/librenms/librenms/pull/18777", "reference_id": "18777", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/pull/18777" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26990", "reference_id": "CVE-2026-26990", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26990" }, { "reference_url": "https://github.com/advisories/GHSA-79q9-wc6p-cf92", "reference_id": "GHSA-79q9-wc6p-cf92", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79q9-wc6p-cf92" }, { "reference_url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92", "reference_id": "GHSA-79q9-wc6p-cf92", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:14Z/" } ], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39372?format=api", "purl": "pkg:composer/librenms/librenms@26.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gun-mcx6-akcy" }, { "vulnerability": "VCID-mb8k-971z-myd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" } ], "aliases": [ "CVE-2026-26990", "GHSA-79q9-wc6p-cf92" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x8rp-7y5r-v3eg" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/librenms/librenms@26.2.0" }