GHSA-5GM9-622F-QCG5
Vulnerability from github – Published: 2026-05-18 17:00 – Updated: 2026-05-18 17:00Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the rancid_repo_url configuration value. When a user navigates to a device's configuration page, this unsanitised value is rendered directly within an HTML anchor (<a>) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages.
Details
The vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding rancid_repo_url as a clickable link labeled "Git Repository" on the /device/{id}/showconfig UI.
Because the rancid_repo_url input is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of the href attribute context or use JavaScript URIs to attach malicious event handlers or scripts.
This vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php.
PoC
-
Login as an admin and navigate to
/settings/external/rancid. -
Add a valid path to
rancid_configs. This can be any directory ended with.git. -
Put
"></a><img/src/onerror=alert(1)><a x="intorancid_repo_urlconfig. -
Navigate to a device page and click
Config(Or visit/device/{id}/showconfigdirectly). - The XSS is triggered when visiting the page. It will pop up an alert dialog.
Other Payloads
javascript:alert(1)" x="- triggered by clicking the link.`" onmouseover="alert(1)" x="- triggered by hovering on the link
Impact
Since an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator's session, potentially leading to session hijacking or unauthorized data exposure.
Remediation Advice
Ensure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier.
CVE Request
CVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "25.12.0"
},
{
"fixed": "26.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2728"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:00:49Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the `rancid_repo_url` configuration value. When a user navigates to a device\u0027s configuration page, this unsanitised value is rendered directly within an HTML anchor (\u0026lt;a\u0026gt;) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages.\n\n### Details\nThe vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding `rancid_repo_url` as a clickable link labeled \"Git Repository\" on the `/device/{id}/showconfig` UI.\n\nBecause the `rancid_repo_url` input is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of the `href` attribute context or use JavaScript URIs to attach malicious event handlers or scripts.\n\nThis vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php.\n\n### PoC\n1. Login as an admin and navigate to `/settings/external/rancid`.\n\u003cimg width=\"790\" height=\"155\" alt=\"image\" src=\"https://github.com/user-attachments/assets/348fff1b-dfce-4735-9273-055113695368\" /\u003e\n\n2. Add a valid path to `rancid_configs`. This can be any directory ended with `.git`. \n3. Put `\"\u003e\u003c/a\u003e\u003cimg/src/onerror=alert(1)\u003e\u003ca x=\"` into `rancid_repo_url` config.\n\u003cimg width=\"909\" height=\"276\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b8c5d650-ba05-4326-8a2d-bea8defa7373\" /\u003e\n\n4. Navigate to a device page and click `Config` (Or visit `/device/{id}/showconfig` directly).\n5. The XSS is triggered when visiting the page. It will pop up an alert dialog.\n\u003cimg width=\"810\" height=\"454\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4d15784e-ff93-46ec-b13e-08a225a8d6d4\" /\u003e\n\n#### Other Payloads\n\n- `javascript:alert(1)\" x=\"` - triggered by clicking the link.\n- ``\" onmouseover=\"alert(1)\" x=\"` - triggered by hovering on the link\n\n### Impact\nSince an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator\u0027s session, potentially leading to session hijacking or unauthorized data exposure.\n\n### Remediation Advice\nEnsure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier.\n\n### CVE Request\nCVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/",
"id": "GHSA-5gm9-622f-qcg5",
"modified": "2026-05-18T17:00:49Z",
"published": "2026-05-18T17:00:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5gm9-622f-qcg5"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/releases/tag/26.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS: Cross-Site Scripting in ShowConfigController"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.