CVE-2026-26991: LibreNMS /device-groups name Stored Cross-Site Scripting
(updated )
/device-groups name Stored Cross-Site Scripting
- HTTP POST
- Request-URI(s): “/device-groups”
- Vulnerable parameter(s): “name”
- Attacker must be authenticated with “admin” privileges.
- When a user adds a device group, an HTTP POST request is sent to the Request-URI “/device-groups”. The name of the newly created device group is stored in the value of the name parameter.
- After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete.
References
- github.com/advisories/GHSA-5pqf-54qp-32wx
- github.com/librenms/librenms
- github.com/librenms/librenms/commit/64b31da444369213eb4559ec1c304ebfaa0ba12c
- github.com/librenms/librenms/pull/19041
- github.com/librenms/librenms/releases/tag/26.2.0
- github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx
- nvd.nist.gov/vuln/detail/CVE-2026-26991
Code Behaviors & Features
Detect and mitigate CVE-2026-26991 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →