Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cmqg-e3da-r7cf
Vulnerability ID VCID-cmqg-e3da-r7cf
Aliases CVE-2026-26987
GHSA-gqx7-99jw-6fpr
Summary LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 1e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-26987
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-gqx7-99jw-6fpr
cvssv4 5.3 https://github.com/librenms/librenms
generic_textual MODERATE https://github.com/librenms/librenms
cvssv4 5.3 https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
generic_textual MODERATE https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
ssvc Track https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
cvssv4 5.3 https://github.com/librenms/librenms/pull/19038
generic_textual MODERATE https://github.com/librenms/librenms/pull/19038
ssvc Track https://github.com/librenms/librenms/pull/19038
cvssv4 5.3 https://github.com/librenms/librenms/releases/tag/26.2.0
generic_textual MODERATE https://github.com/librenms/librenms/releases/tag/26.2.0
ssvc Track https://github.com/librenms/librenms/releases/tag/26.2.0
cvssv3.1_qr MODERATE https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
cvssv4 5.3 https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
generic_textual MODERATE https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
ssvc Track https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-26987
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-26987
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-26987
19038 https://github.com/librenms/librenms/pull/19038
26.2.0 https://github.com/librenms/librenms/releases/tag/26.2.0
8e626b38ef92e240532cdac2ac7e38706a71208b https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
CVE-2026-26987 https://nvd.nist.gov/vuln/detail/CVE-2026-26987
GHSA-gqx7-99jw-6fpr https://github.com/advisories/GHSA-gqx7-99jw-6fpr
GHSA-gqx7-99jw-6fpr https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/librenms/librenms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/ Found at https://github.com/librenms/librenms/commit/8e626b38ef92e240532cdac2ac7e38706a71208b
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/librenms/librenms/pull/19038
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/ Found at https://github.com/librenms/librenms/pull/19038
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/librenms/librenms/releases/tag/26.2.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/ Found at https://github.com/librenms/librenms/releases/tag/26.2.0
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:31:42Z/ Found at https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-26987
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 6e-05
EPSS Score 1e-05
Published At June 12, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:44:35.232831+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/26xxx/CVE-2026-26987.json 38.6.0