CVE-2026-2728 | THREATINT

Description

LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.

PUBLISHED Reserved 2026-02-18 | Published 2026-04-13 | Updated 2026-04-13 | Assigner PRJBLK

MEDIUM: 4.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status

unaffected

Any version before 26.3.0

affected

References

projectblack.io/blog/librenms-authenticated-rce-and-xss/ exploit

cve.org (CVE-2026-2728)

nvd.nist.gov (CVE-2026-2728)

Download JSON