CVE-2020-36947 | THREATINT

Description

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection.

PUBLISHED Reserved 2026-01-25 | Published 2026-01-27 | Updated 2026-01-27 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

1.46

affected

Credits

Hodorsec finder

References

community.librenms.org/ exploit

www.exploit-db.com/exploits/49246 (ExploitDB-49246) exploit

www.librenms.org (LibreNMS Official Website) product

github.com/librenms/librenms (LibreNMS GitHub Repository) product

community.librenms.org/ (LibreNMS Community) product

www.vulncheck.com/...nting-graph-authenticated-sql-injection (VulnCheck Advisory: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection) third-party-advisory

cve.org (CVE-2020-36947)

nvd.nist.gov (CVE-2020-36947)

Download JSON