{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27016", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.490Z", "datePublished": "2026-02-20T01:34:11.241Z", "dateUpdated": "2026-02-20T15:34:34.942Z"}, "containers": {"cna": {"title": "LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g"}, {"name": "https://github.com/librenms/librenms/pull/19040", "tags": ["x_refsource_MISC"], "url": "https://github.com/librenms/librenms/pull/19040"}, {"name": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335", "tags": ["x_refsource_MISC"], "url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335"}, {"name": "https://github.com/librenms/librenms/releases/tag/26.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"}], "affected": [{"vendor": "librenms", "product": "librenms", "versions": [{"version": ">= 24.10.0, < 26.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T01:34:11.241Z"}, "descriptions": [{"lang": "en", "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0."}], "source": {"advisory": "GHSA-fqx6-693c-f55g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:26:32.832016Z", "id": "CVE-2026-27016", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:34:34.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27016", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:26:32.832016Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:26:34.413Z"}}], "cna": {"title": "LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()", "source": {"advisory": "GHSA-fqx6-693c-f55g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "librenms", "product": "librenms", "versions": [{"status": "affected", "version": ">= 24.10.0, < 26.2.0"}]}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g", "name": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/librenms/librenms/pull/19040", "name": "https://github.com/librenms/librenms/pull/19040", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335", "name": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/librenms/librenms/releases/tag/26.2.0", "name": "https://github.com/librenms/librenms/releases/tag/26.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T01:34:11.241Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27016", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:34:34.942Z", "dateReserved": "2026-02-17T03:08:23.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T01:34:11.241Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DF70D72-DD59-426A-8938-18E877C05530", "versionEndExcluding": "26.2.0", "versionStartIncluding": "24.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0."}], "id": "CVE-2026-27016", "lastModified": "2026-02-20T16:22:29.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T02:16:55.140", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/librenms/librenms/pull/19040"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[24.10.0,26.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "librenms", "source": "cna", "vendor": "librenms"}, "product": "librenms", "vendor": "librenms"}], "analysis": {"en": {"generated_at": "2026-04-18T11:36:14.968902+00:00", "value": {"mitigation_remediation": ["Upgrade Librenms to version 26.2.0 or later.", "Delete or sanitize previously stored unit values that may contain malicious scripts.", "Restrict Custom OID creation/editing to trusted administrators and enforce stricter input validation."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via the Custom OID unit field"}, "threat_synthesis": {"affected_systems": "Versions 24.10.0 through 26.1.1 of the Librenms application are affected. The vulnerability is limited to the Librenms:Librenms product line and is resolved in release 26.2.0.", "description_and_impact": "LibreNMS, an auto\u2011discovery network monitoring tool, stores the value of the unit field in a Custom OID without applying strip_tags() or HTML escaping. The stored value is later rendered on web pages, so an attacker who can inject a crafted unit string can cause arbitrary JavaScript to execute in the browsers of any user who views the page, leading to cookie theft, session hijacking, or further client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of being actively exploited. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to create or edit a Custom OID via the web interface, a privilege normally granted to highly trusted administrators. Once a malicious unit value is stored, any user who views the corresponding page will have the script executed in their browser. The impact is confined to the affected users\u2019 browsers, but the attack can be amplified if social engineering is used to lure other users to the compromised page."}}}}, "created": "2026-02-20T09:52:57.195675+00:00", "updated": "2026-04-18T11:45:44.590028+00:00", "vendors": ["librenms", "librenms$PRODUCT$librenms"]}