High severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream
CVE-2026-26988
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 26.2.0 | 26.2.0 |
Affected products
1Patches
115429580babaRewrite address search backend (#18777)
11 files changed · +352 −166
app/Http/Controllers/Table/AddressSearchController.php+115 −0 added@@ -0,0 +1,115 @@ +<?php + +/** + * SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Port; +use Illuminate\Contracts\Database\Query\Expression; +use Illuminate\Database\Eloquent\Builder; +use Illuminate\Database\Eloquent\Model; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; +use Illuminate\Validation\Rule; +use LibreNMS\Exceptions\InvalidIpException; +use LibreNMS\Util\IP; +use LibreNMS\Util\Url; + +/** + * @template TModel of Model + */ +abstract class AddressSearchController extends TableController +{ + /** @var string|Expression (string or DB::raw) */ + protected mixed $sortField = ''; // set for sort + protected string $searchField = ''; + protected string $additionalSearchField = ''; + protected string $cidrField = ''; // set for display + + protected function sortFields($request) + { + return [ + 'hostname' => 'device_via_port_hostname', + 'interface' => 'port_ifname', + 'description' => 'port_description', + 'address' => $this->sortField, + ]; + } + + protected function rules() + { + return [ + 'address' => ['nullable', 'string'], + 'device_id' => ['nullable', 'integer'], + 'interface' => ['nullable', Rule::in('Vlan%', 'Loopback%')], + ]; + } + + /** + * @param TModel&object{port: Port|null} $model + * @return string[] + * + * @throws InvalidIpException + */ + public function formatItem($model): array + { + $port = $model->port; + + return [ + 'hostname' => Url::modernDeviceLink($port?->device), + 'interface' => Url::portLink($port), + 'address' => IP::parse($model->{$this->searchField}, true)->compressed() . '/' . $model->{$this->cidrField}, + 'description' => $port->getLabel() == $port->ifAlias ? '' : $port->ifAlias, + ]; + } + + protected function applyBaseSearchQuery(Builder $builder, Request $request): Builder + { + return $builder + ->when($request->get('address'), function ($q, $address): void { + if (str_contains($address, '/')) { + [$address, $cidr] = explode('/', $address, 2); + } + + $q->where(fn ($q) => $q->where($this->searchField, 'LIKE', "%$address%")->when($this->additionalSearchField, fn ($q, $f) => $q->orWhere($f, 'LIKE', "%$address%"))); + + if (isset($cidr)) { + $q->where($this->cidrField, $cidr); + } + }) + ->when($request->get('device_id'), fn ($q, $id) => $q->whereHas('port', fn ($pq) => $pq->where('device_id', $id))) + ->when($request->get('interface'), fn ($q, $i) => $q->whereHas('port', fn ($pq) => $pq->where('ifDescr', 'LIKE', $i))) + ->when($request->has('sort.hostname'), fn ($q) => $q->withAggregate('deviceViaPort', 'hostname')) + ->when($request->has('sort.interface'), fn ($q) => $q->withAggregate('port', 'ifName')) + ->when($request->has('sort.description'), function ($q) use ($builder): void { + $q->select($builder->getModel()->getTable() . '.*')->selectSub(function ($sub) use ($builder): void { + $sub->selectRaw('IF(ifAlias = ifName || ifAlias = ifDescr, "", ifAlias)') + ->from('ports') + ->whereColumn('ports.port_id', $builder->qualifyColumn('port_id')) + ->limit(1); + }, 'port_description'); + }); + } +}
app/Http/Controllers/Table/Ipv4AddressSearchController.php+55 −0 added@@ -0,0 +1,55 @@ +<?php + +/** + * Ipv4SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Ipv4Address; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; + +/** + * @extends AddressSearchController<Ipv4Address> + */ +class Ipv4AddressSearchController extends AddressSearchController +{ + public function __construct() + { + $this->sortField = DB::raw('INET_ATON(ipv4_address)'); + $this->searchField = 'ipv4_address'; + $this->cidrField = 'ipv4_prefixlen'; + } + + /** + * @inheritDoc + */ + protected function baseQuery(Request $request) + { + return $this->applyBaseSearchQuery( + Ipv4Address::query()->hasAccess($request->user())->with(['port', 'port.device']), + $request + ); + } +}
app/Http/Controllers/Table/Ipv6AddressSearchController.php+56 −0 added@@ -0,0 +1,56 @@ +<?php + +/** + * Ipv6SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Ipv6Address; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; + +/** + * @extends AddressSearchController<Ipv6Address> + */ +class Ipv6AddressSearchController extends AddressSearchController +{ + public function __construct() + { + $this->sortField = DB::raw('INET6_ATON(ipv6_address)'); + $this->searchField = 'ipv6_address'; + $this->additionalSearchField = 'ipv6_compressed'; + $this->cidrField = 'ipv6_prefixlen'; + } + + /** + * @inheritDoc + */ + protected function baseQuery(Request $request) + { + return $this->applyBaseSearchQuery( + Ipv6Address::query()->hasAccess($request->user())->with(['port', 'port.device']), + $request + ); + } +}
app/Http/Controllers/Table/MacSearchController.php+87 −0 added@@ -0,0 +1,87 @@ +<?php + +/** + * MacSearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Port; +use Illuminate\Http\Request; +use Illuminate\Validation\Rule; +use LibreNMS\Util\Mac; +use LibreNMS\Util\Url; + +class MacSearchController extends TableController +{ + protected function rules() + { + return [ + 'address' => ['nullable', 'string'], + 'device_id' => ['nullable', 'integer'], + 'interface' => ['nullable', Rule::in('Vlan%', 'Loopback%')], + ]; + } + + protected function sortFields($request) + { + return [ + 'hostname' => 'device_hostname', + 'interface' => 'ifDescr', + 'description' => 'ifAlias', + 'address' => 'ifPhysAddress', + ]; + } + + protected function baseQuery(Request $request) + { + return Port::query() + ->hasAccess($request->user()) + ->with('device') + ->when($request->get('device_id'), fn ($q, $id) => $q->where('device_id', $id)) + ->when($request->get('interface'), fn ($q, $i) => $q->where('ifDescr', 'LIKE', $i)) + ->when($request->get('address'), function ($q, $mac) { + $cleanMac = str_replace([':', ' ', '-', '.', '0x'], '', $mac); + + return $q->where('ifPhysAddress', 'LIKE', "%$cleanMac%"); + }) + ->when($request->has('sort.hostname'), fn ($q) => $q->withAggregate('device', 'hostname')); + } + + /** + * @param Port $model + * @return array + */ + public function formatItem($model): array + { + $mac = Mac::parse($model->ifPhysAddress); + + return [ + 'hostname' => Url::modernDeviceLink($model->device), + 'interface' => Url::portLink($model), + 'address' => $mac->readable(), + 'description' => $model->getLabel() == $model->ifAlias ? '' : $model->ifAlias, + 'mac_oui' => $mac->vendor(), + ]; + } +}
app/Models/Ipv4Address.php+13 −1 modified@@ -29,6 +29,7 @@ use Illuminate\Database\Eloquent\Factories\HasFactory; use Illuminate\Database\Eloquent\Relations\BelongsTo; +use Illuminate\Database\Eloquent\Relations\HasOneThrough; use LibreNMS\Interfaces\Models\Keyable; class Ipv4Address extends PortRelatedModel implements Keyable @@ -46,13 +47,24 @@ class Ipv4Address extends PortRelatedModel implements Keyable ]; /** - * @return \Illuminate\Database\Eloquent\Relations\BelongsTo<\App\Models\Ipv4Network, $this> + * @return BelongsTo<Ipv4Network, $this> */ public function network(): BelongsTo { return $this->belongsTo(Ipv4Network::class, 'ipv4_network_id', 'ipv4_network_id'); } + /** + * This is not a standard relationship it is a shortcut to generate an aggregate for sorting. + * Use port.device nested relationship to access device. + * + * @return HasOneThrough<Device, Port, $this> + */ + public function deviceViaPort(): HasOneThrough + { + return $this->hasOneThrough(Device::class, Port::class, 'port_id', 'device_id', 'port_id', 'device_id'); + } + public function getCompositeKey(): string { return "$this->ipv4_address-$this->ipv4_prefixlen-$this->port_id-$this->context_name";
app/Models/Ipv6Address.php+13 −1 modified@@ -28,6 +28,7 @@ namespace App\Models; use Illuminate\Database\Eloquent\Relations\BelongsTo; +use Illuminate\Database\Eloquent\Relations\HasOneThrough; use LibreNMS\Interfaces\Models\Keyable; class Ipv6Address extends PortRelatedModel implements Keyable @@ -45,13 +46,24 @@ class Ipv6Address extends PortRelatedModel implements Keyable ]; /** - * @return \Illuminate\Database\Eloquent\Relations\BelongsTo<\App\Models\Ipv6Network, $this> + * @return BelongsTo<Ipv6Network, $this> */ public function network(): BelongsTo { return $this->belongsTo(Ipv6Network::class, 'ipv6_network_id', 'ipv6_network_id'); } + /** + * This is not a standard relationship it is a shortcut to generate an aggregate for sorting. + * Use port.device nested relationship to access device. + * + * @return HasOneThrough<Device, Port, $this> + */ + public function deviceViaPort(): HasOneThrough + { + return $this->hasOneThrough(Device::class, Port::class, 'port_id', 'device_id', 'port_id', 'device_id'); + } + public function getCompositeKey(): string { return "$this->ipv6_address-$this->ipv6_prefixlen-$this->port_id-$this->context_name";
includes/html/pages/search/ipv4.inc.php+3 −5 modified@@ -8,7 +8,7 @@ <th data-column-id="hostname" data-order="asc">Device</th> <th data-column-id="interface">Interface</th> <th data-column-id="address" data-formatter="tooltip">Address</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th> + <th data-column-id="description" data-formatter="tooltip">Description</th> </tr> </thead> </table> @@ -87,14 +87,12 @@ post: function () { return { - id: "address-search", - search_type: "ipv4", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.ipv4'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/pages/search/ipv6.inc.php+3 −5 modified@@ -8,7 +8,7 @@ <th data-column-id="hostname">Device</th> <th data-column-id="interface">Interface</th> <th data-column-id="address" data-formatter="tooltip">Address</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th> + <th data-column-id="description" data-formatter="tooltip">Description</th> </tr> <thead> </table> @@ -88,14 +88,12 @@ post: function () { return { - id: "address-search", - search_type: "ipv6", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.ipv6'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/pages/search/mac.inc.php+4 −6 modified@@ -7,9 +7,9 @@ <tr> <th data-column-id="hostname" data-order="asc">Device</th> <th data-column-id="interface">Interface</th> - <th data-column-id="address" data-sortable="false" data-formatter="tooltip">MAC Address</th> + <th data-column-id="address" data-formatter="tooltip">MAC Address</th> <th data-column-id="mac_oui" data-sortable="false" data-width="150px" data-visible="<?php echo \App\Facades\LibrenmsConfig::get('mac_oui.enabled') ? 'true' : 'false' ?>" data-formatter="tooltip">Vendor</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th></tr> + <th data-column-id="description" data-formatter="tooltip">Description</th></tr> </tr> </thead> </table> @@ -91,14 +91,12 @@ post: function () { return { - id: "address-search", - search_type: "mac", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.mac'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/table/address-search.inc.php+0 −148 removed@@ -1,148 +0,0 @@ -<?php - -use LibreNMS\Util\IP; -use LibreNMS\Util\Mac; - -$param = []; -$where = ''; - -if (! Auth::user()->hasGlobalRead()) { - $device_ids = Permissions::devicesForUser()->toArray() ?: [0]; - $where .= ' AND `D`.`device_id` IN ' . dbGenPlaceholders(count($device_ids)); - $param = array_merge($param, $device_ids); -} - -$search_type = $vars['search_type'] ?? 'ipv4'; -$address = $vars['address'] ?? ''; -$prefix = ''; -$sort = trim((string) $sort); - -if (str_contains($address, '/')) { - [$address, $prefix] = explode('/', $address, 2); -} - -if ($search_type == 'ipv4') { - $sql = ' FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D'; - $sql .= ' WHERE I.port_id = A.port_id AND I.device_id = D.device_id ' . $where . ' '; - - if (! empty($address)) { - $sql .= ' AND ipv4_address LIKE ?'; - $param[] = "%$address%"; - } - - if (! empty($prefix)) { - $sql .= " AND ipv4_prefixlen='$prefix'"; - } - - if (str_contains($sort, 'address')) { - $order = explode(' ', $sort)[1]; - $sort = 'INET_ATON(ipv4_address) ' . $order; - } -} elseif ($search_type == 'ipv6') { - $sql = ' FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D'; - $sql .= ' WHERE I.port_id = A.port_id AND I.device_id = D.device_id ' . $where . ' '; - - if (! empty($address)) { - $sql .= ' AND (ipv6_address LIKE ? OR ipv6_compressed LIKE ?)'; - $param[] = "%$address%"; - $param[] = "%$address%"; - } - - if (! empty($prefix)) { - $sql .= " AND ipv6_prefixlen = '$prefix'"; - } - - if (str_contains($sort, 'address')) { - $order = explode(' ', $sort)[1]; - $sort = 'INET6_ATON(ipv6_address) ' . $order; - } -} elseif ($search_type == 'mac') { - $sql = ' FROM `ports` AS I, `devices` AS D'; - $sql .= " WHERE I.device_id = D.device_id $where "; - if (! empty($address)) { - $sql .= ' AND `ifPhysAddress` LIKE ?'; - $param[] = '%' . trim(str_replace([':', ' ', '-', '.', '0x'], '', $vars['address'])) . '%'; - } -}//end if -if (isset($vars['device_id']) && is_numeric($vars['device_id'])) { - $sql .= ' AND I.device_id = ?'; - $param[] = $vars['device_id']; -} - -if (isset($vars['interface']) && $vars['interface']) { - $sql .= ' AND I.ifDescr LIKE ?'; - $param[] = $vars['interface']; -} - -if ($search_type == 'ipv4') { - $count_sql = "SELECT COUNT(`ipv4_address_id`) $sql"; -} elseif ($search_type == 'ipv6') { - $count_sql = "SELECT COUNT(`ipv6_address_id`) $sql"; -} elseif ($search_type == 'mac') { - $count_sql = "SELECT COUNT(`port_id`) $sql"; -} - -$total = dbFetchCell($count_sql, $param); -if (empty($total)) { - $total = 0; -} - -if (! isset($sort) || empty($sort)) { - $sort = '`hostname` ASC'; -} - -$sql .= " ORDER BY $sort"; - -if (isset($current)) { - $limit_low = (($current * $rowCount) - $rowCount); - $limit_high = $rowCount; -} - -if ($rowCount != -1) { - $sql .= " LIMIT $limit_low,$limit_high"; -} - -$sql = "SELECT *,`I`.`ifDescr` AS `interface` $sql"; - -foreach (dbFetchRows($sql, $param) as $interface) { - $speed = \LibreNMS\Util\Number::formatSi($interface['ifSpeed'], 2, 0, 'bps'); - $type = \LibreNMS\Util\Rewrite::normalizeIfType($interface['ifType']); - - if ($search_type == 'ipv6') { - $address = (string) IP::parse($interface['ipv6_address'], true) . '/' . $interface['ipv6_prefixlen']; - } elseif ($search_type == 'mac') { - $mac = Mac::parse($interface['ifPhysAddress']); - $address = $mac->readable(); - $mac_oui = $mac->vendor(); - } else { - $address = (string) IP::parse($interface['ipv4_address'], true) . '/' . $interface['ipv4_prefixlen']; - } - - if (isset($interface['in_errors'], $interface['out_errors']) && ($interface['in_errors'] > 0 || $interface['out_errors'] > 0)) { - $error_img = generate_port_link($interface, "<i class='fa fa-flag fa-lg' style='color:red' aria-hidden='true'></i>", 'errors'); - } else { - $error_img = ''; - } - - if (port_permitted($interface['port_id'])) { - $interface = cleanPort($interface, $interface); - $row = [ - 'hostname' => generate_device_link($interface), - 'interface' => generate_port_link($interface) . ' ' . $error_img, - 'address' => $address, - 'description' => $interface['ifAlias'], - ]; - if ($search_type == 'mac') { - $row['mac_oui'] = $mac_oui; - } - $response[] = $row; - } -}//end foreach - -$output = [ - 'current' => $current, - 'rowCount' => $rowCount, - 'rows' => $response, - 'total' => $total, -]; -echo json_encode($output, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
routes/web.php+3 −0 modified@@ -287,6 +287,9 @@ // jquery bootgrid data controllers Route::prefix('table')->group(function (): void { + Route::any('address-search/ipv4', Table\Ipv4AddressSearchController::class)->name('search.ipv4'); + Route::any('address-search/ipv6', Table\Ipv6AddressSearchController::class)->name('search.ipv6'); + Route::any('address-search/mac', Table\MacSearchController::class)->name('search.mac'); Route::post('alert-schedule', Table\AlertScheduleController::class); Route::post('customers', Table\CustomersController::class); Route::post('diskio', Table\DiskioController::class)->name('table.diskio');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-h3rv-q4rq-pqcvghsaADVISORY
- github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1ghsax_refsource_MISCWEB
- github.com/librenms/librenms/pull/18777ghsax_refsource_MISCWEB
- github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.