{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6204", "assignerOrgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "state": "PUBLISHED", "assignerShortName": "PRJBLK", "dateReserved": "2026-04-13T10:42:58.812Z", "datePublished": "2026-04-13T10:56:16.850Z", "dateUpdated": "2026-04-13T12:43:19.241Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "shortName": "PRJBLK", "dateUpdated": "2026-04-13T10:56:16.850Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "librenms", "product": "librenms", "versions": [{"status": "affected", "version": "0", "lessThan": "26.3.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the\u00a0Binary Locations\u00a0config\u00a0and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><p>LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the&nbsp;<em>Binary Locations</em><span>&nbsp;</span><span>config</span><span>&nbsp;and the Netcommand feature</span><span>. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.</span></p></div><div><div></div></div><br>"}]}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "tags": ["vendor-advisory"]}, {"url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc", "tags": ["exploit"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:42:55.779944Z", "id": "CVE-2026-6204", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:43:19.241Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6204", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T12:42:55.779944Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:43:15.324Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "librenms", "product": "librenms", "versions": [{"status": "affected", "version": "0", "lessThan": "26.3.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "tags": ["vendor-advisory"]}, {"url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc", "tags": ["exploit"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the\u00a0Binary Locations\u00a0config\u00a0and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.", "supportingMedia": [{"type": "text/html", "value": "<div><p>LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the&nbsp;<em>Binary Locations</em><span>&nbsp;</span><span>config</span><span>&nbsp;and the Netcommand feature</span><span>. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.</span></p></div><div><div></div></div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')"}]}], "providerMetadata": {"orgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "shortName": "PRJBLK", "dateUpdated": "2026-04-13T10:56:16.850Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6204", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:43:19.241Z", "dateReserved": "2026-04-13T10:42:58.812Z", "assignerOrgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "datePublished": "2026-04-13T10:56:16.850Z", "assignerShortName": "PRJBLK"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A43AE03C-7129-4F1F-B01C-28637F82A1B4", "versionEndExcluding": "26.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the\u00a0Binary Locations\u00a0config\u00a0and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server."}], "id": "CVE-2026-6204", "lastModified": "2026-04-22T19:47:46.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary"}]}, "published": "2026-04-13T11:16:06.243", "references": [{"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "tags": ["Third Party Advisory"], "url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh"}, {"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "tags": ["Exploit", "Third Party Advisory"], "url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc"}], "sourceIdentifier": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "librenms", "source": "cna", "vendor": "librenms"}, "product": "librenms", "vendor": "librenms"}], "analysis": {"en": {"generated_at": "2026-04-13T12:20:24.231403+00:00", "value": {"mitigation_remediation": ["Upgrade LibreNMS to version 26.3.0 or newer.", "If an upgrade is not immediately possible, restrict administrative access until the patch is applied.", "Disable or restrict the Binary Locations configuration and the Netcommand feature if they are not required."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "LibreNMS versions earlier than 26.3.0 are affected. The issue resides in the librenms:librenms product. Users running any pre-26.3.0 release are potentially vulnerable.", "description_and_impact": "The vulnerability allows an attacker with administrative privileges to execute arbitrary code on the LibreNMS web server by manipulating the Binary Locations configuration and leveraging the Netcommand feature. This authenticated remote code execution can compromise the underlying operating system and any services running on the host. The weakness is defined as command injection (CWE-78) and has a high severity score of 8.5, indicating broad impact if exploited.", "risk_and_exploitability": "The CVSS score of 8.5 reflects a significant risk, though the EPSS score is not available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but it remains a high\u2011severity threat. An attacker must be authenticated with administrative rights to exploit the flaw, typically by logging into the web interface. Once authenticated, the attacker can trigger Netcommand executions that follow the configured binary paths, leading to arbitrary code execution on the host."}}}}, "created": "2026-04-13T12:36:44.315737+00:00", "title": "Authenticated Remote Code Execution via Binary Locations in LibreNMS", "updated": "2026-04-13T12:52:29.670287+00:00", "vendors": ["librenms", "librenms$PRODUCT$librenms"]}