High severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026
LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php
CVE-2026-26990
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 26.2.0 | 26.2.0 |
Affected products
1Patches
115429580babaRewrite address search backend (#18777)
11 files changed · +352 −166
app/Http/Controllers/Table/AddressSearchController.php+115 −0 added@@ -0,0 +1,115 @@ +<?php + +/** + * SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Port; +use Illuminate\Contracts\Database\Query\Expression; +use Illuminate\Database\Eloquent\Builder; +use Illuminate\Database\Eloquent\Model; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; +use Illuminate\Validation\Rule; +use LibreNMS\Exceptions\InvalidIpException; +use LibreNMS\Util\IP; +use LibreNMS\Util\Url; + +/** + * @template TModel of Model + */ +abstract class AddressSearchController extends TableController +{ + /** @var string|Expression (string or DB::raw) */ + protected mixed $sortField = ''; // set for sort + protected string $searchField = ''; + protected string $additionalSearchField = ''; + protected string $cidrField = ''; // set for display + + protected function sortFields($request) + { + return [ + 'hostname' => 'device_via_port_hostname', + 'interface' => 'port_ifname', + 'description' => 'port_description', + 'address' => $this->sortField, + ]; + } + + protected function rules() + { + return [ + 'address' => ['nullable', 'string'], + 'device_id' => ['nullable', 'integer'], + 'interface' => ['nullable', Rule::in('Vlan%', 'Loopback%')], + ]; + } + + /** + * @param TModel&object{port: Port|null} $model + * @return string[] + * + * @throws InvalidIpException + */ + public function formatItem($model): array + { + $port = $model->port; + + return [ + 'hostname' => Url::modernDeviceLink($port?->device), + 'interface' => Url::portLink($port), + 'address' => IP::parse($model->{$this->searchField}, true)->compressed() . '/' . $model->{$this->cidrField}, + 'description' => $port->getLabel() == $port->ifAlias ? '' : $port->ifAlias, + ]; + } + + protected function applyBaseSearchQuery(Builder $builder, Request $request): Builder + { + return $builder + ->when($request->get('address'), function ($q, $address): void { + if (str_contains($address, '/')) { + [$address, $cidr] = explode('/', $address, 2); + } + + $q->where(fn ($q) => $q->where($this->searchField, 'LIKE', "%$address%")->when($this->additionalSearchField, fn ($q, $f) => $q->orWhere($f, 'LIKE', "%$address%"))); + + if (isset($cidr)) { + $q->where($this->cidrField, $cidr); + } + }) + ->when($request->get('device_id'), fn ($q, $id) => $q->whereHas('port', fn ($pq) => $pq->where('device_id', $id))) + ->when($request->get('interface'), fn ($q, $i) => $q->whereHas('port', fn ($pq) => $pq->where('ifDescr', 'LIKE', $i))) + ->when($request->has('sort.hostname'), fn ($q) => $q->withAggregate('deviceViaPort', 'hostname')) + ->when($request->has('sort.interface'), fn ($q) => $q->withAggregate('port', 'ifName')) + ->when($request->has('sort.description'), function ($q) use ($builder): void { + $q->select($builder->getModel()->getTable() . '.*')->selectSub(function ($sub) use ($builder): void { + $sub->selectRaw('IF(ifAlias = ifName || ifAlias = ifDescr, "", ifAlias)') + ->from('ports') + ->whereColumn('ports.port_id', $builder->qualifyColumn('port_id')) + ->limit(1); + }, 'port_description'); + }); + } +}
app/Http/Controllers/Table/Ipv4AddressSearchController.php+55 −0 added@@ -0,0 +1,55 @@ +<?php + +/** + * Ipv4SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Ipv4Address; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; + +/** + * @extends AddressSearchController<Ipv4Address> + */ +class Ipv4AddressSearchController extends AddressSearchController +{ + public function __construct() + { + $this->sortField = DB::raw('INET_ATON(ipv4_address)'); + $this->searchField = 'ipv4_address'; + $this->cidrField = 'ipv4_prefixlen'; + } + + /** + * @inheritDoc + */ + protected function baseQuery(Request $request) + { + return $this->applyBaseSearchQuery( + Ipv4Address::query()->hasAccess($request->user())->with(['port', 'port.device']), + $request + ); + } +}
app/Http/Controllers/Table/Ipv6AddressSearchController.php+56 −0 added@@ -0,0 +1,56 @@ +<?php + +/** + * Ipv6SearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Ipv6Address; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; + +/** + * @extends AddressSearchController<Ipv6Address> + */ +class Ipv6AddressSearchController extends AddressSearchController +{ + public function __construct() + { + $this->sortField = DB::raw('INET6_ATON(ipv6_address)'); + $this->searchField = 'ipv6_address'; + $this->additionalSearchField = 'ipv6_compressed'; + $this->cidrField = 'ipv6_prefixlen'; + } + + /** + * @inheritDoc + */ + protected function baseQuery(Request $request) + { + return $this->applyBaseSearchQuery( + Ipv6Address::query()->hasAccess($request->user())->with(['port', 'port.device']), + $request + ); + } +}
app/Http/Controllers/Table/MacSearchController.php+87 −0 added@@ -0,0 +1,87 @@ +<?php + +/** + * MacSearchController.php + * + * -Description- + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * @link https://www.librenms.org + * + * @copyright 2026 Tony Murray + * @author Tony Murray <murraytony@gmail.com> + */ + +namespace App\Http\Controllers\Table; + +use App\Models\Port; +use Illuminate\Http\Request; +use Illuminate\Validation\Rule; +use LibreNMS\Util\Mac; +use LibreNMS\Util\Url; + +class MacSearchController extends TableController +{ + protected function rules() + { + return [ + 'address' => ['nullable', 'string'], + 'device_id' => ['nullable', 'integer'], + 'interface' => ['nullable', Rule::in('Vlan%', 'Loopback%')], + ]; + } + + protected function sortFields($request) + { + return [ + 'hostname' => 'device_hostname', + 'interface' => 'ifDescr', + 'description' => 'ifAlias', + 'address' => 'ifPhysAddress', + ]; + } + + protected function baseQuery(Request $request) + { + return Port::query() + ->hasAccess($request->user()) + ->with('device') + ->when($request->get('device_id'), fn ($q, $id) => $q->where('device_id', $id)) + ->when($request->get('interface'), fn ($q, $i) => $q->where('ifDescr', 'LIKE', $i)) + ->when($request->get('address'), function ($q, $mac) { + $cleanMac = str_replace([':', ' ', '-', '.', '0x'], '', $mac); + + return $q->where('ifPhysAddress', 'LIKE', "%$cleanMac%"); + }) + ->when($request->has('sort.hostname'), fn ($q) => $q->withAggregate('device', 'hostname')); + } + + /** + * @param Port $model + * @return array + */ + public function formatItem($model): array + { + $mac = Mac::parse($model->ifPhysAddress); + + return [ + 'hostname' => Url::modernDeviceLink($model->device), + 'interface' => Url::portLink($model), + 'address' => $mac->readable(), + 'description' => $model->getLabel() == $model->ifAlias ? '' : $model->ifAlias, + 'mac_oui' => $mac->vendor(), + ]; + } +}
app/Models/Ipv4Address.php+13 −1 modified@@ -29,6 +29,7 @@ use Illuminate\Database\Eloquent\Factories\HasFactory; use Illuminate\Database\Eloquent\Relations\BelongsTo; +use Illuminate\Database\Eloquent\Relations\HasOneThrough; use LibreNMS\Interfaces\Models\Keyable; class Ipv4Address extends PortRelatedModel implements Keyable @@ -46,13 +47,24 @@ class Ipv4Address extends PortRelatedModel implements Keyable ]; /** - * @return \Illuminate\Database\Eloquent\Relations\BelongsTo<\App\Models\Ipv4Network, $this> + * @return BelongsTo<Ipv4Network, $this> */ public function network(): BelongsTo { return $this->belongsTo(Ipv4Network::class, 'ipv4_network_id', 'ipv4_network_id'); } + /** + * This is not a standard relationship it is a shortcut to generate an aggregate for sorting. + * Use port.device nested relationship to access device. + * + * @return HasOneThrough<Device, Port, $this> + */ + public function deviceViaPort(): HasOneThrough + { + return $this->hasOneThrough(Device::class, Port::class, 'port_id', 'device_id', 'port_id', 'device_id'); + } + public function getCompositeKey(): string { return "$this->ipv4_address-$this->ipv4_prefixlen-$this->port_id-$this->context_name";
app/Models/Ipv6Address.php+13 −1 modified@@ -28,6 +28,7 @@ namespace App\Models; use Illuminate\Database\Eloquent\Relations\BelongsTo; +use Illuminate\Database\Eloquent\Relations\HasOneThrough; use LibreNMS\Interfaces\Models\Keyable; class Ipv6Address extends PortRelatedModel implements Keyable @@ -45,13 +46,24 @@ class Ipv6Address extends PortRelatedModel implements Keyable ]; /** - * @return \Illuminate\Database\Eloquent\Relations\BelongsTo<\App\Models\Ipv6Network, $this> + * @return BelongsTo<Ipv6Network, $this> */ public function network(): BelongsTo { return $this->belongsTo(Ipv6Network::class, 'ipv6_network_id', 'ipv6_network_id'); } + /** + * This is not a standard relationship it is a shortcut to generate an aggregate for sorting. + * Use port.device nested relationship to access device. + * + * @return HasOneThrough<Device, Port, $this> + */ + public function deviceViaPort(): HasOneThrough + { + return $this->hasOneThrough(Device::class, Port::class, 'port_id', 'device_id', 'port_id', 'device_id'); + } + public function getCompositeKey(): string { return "$this->ipv6_address-$this->ipv6_prefixlen-$this->port_id-$this->context_name";
includes/html/pages/search/ipv4.inc.php+3 −5 modified@@ -8,7 +8,7 @@ <th data-column-id="hostname" data-order="asc">Device</th> <th data-column-id="interface">Interface</th> <th data-column-id="address" data-formatter="tooltip">Address</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th> + <th data-column-id="description" data-formatter="tooltip">Description</th> </tr> </thead> </table> @@ -87,14 +87,12 @@ post: function () { return { - id: "address-search", - search_type: "ipv4", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.ipv4'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/pages/search/ipv6.inc.php+3 −5 modified@@ -8,7 +8,7 @@ <th data-column-id="hostname">Device</th> <th data-column-id="interface">Interface</th> <th data-column-id="address" data-formatter="tooltip">Address</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th> + <th data-column-id="description" data-formatter="tooltip">Description</th> </tr> <thead> </table> @@ -88,14 +88,12 @@ post: function () { return { - id: "address-search", - search_type: "ipv6", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.ipv6'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/pages/search/mac.inc.php+4 −6 modified@@ -7,9 +7,9 @@ <tr> <th data-column-id="hostname" data-order="asc">Device</th> <th data-column-id="interface">Interface</th> - <th data-column-id="address" data-sortable="false" data-formatter="tooltip">MAC Address</th> + <th data-column-id="address" data-formatter="tooltip">MAC Address</th> <th data-column-id="mac_oui" data-sortable="false" data-width="150px" data-visible="<?php echo \App\Facades\LibrenmsConfig::get('mac_oui.enabled') ? 'true' : 'false' ?>" data-formatter="tooltip">Vendor</th> - <th data-column-id="description" data-sortable="false" data-formatter="tooltip">Description</th></tr> + <th data-column-id="description" data-formatter="tooltip">Description</th></tr> </tr> </thead> </table> @@ -91,14 +91,12 @@ post: function () { return { - id: "address-search", - search_type: "mac", - device_id: '<?php echo $device_id ?: 'null'; ?>', + device_id: '<?php echo $device_id ?: ''; ?>', interface: '<?php echo htmlspecialchars((string) $interface); ?>', address: '<?php echo htmlspecialchars((string) $address); ?>' }; }, - url: "ajax_table.php", + url: "<?php echo route('search.mac'); ?>", formatters: { "tooltip": function (column, row) { var value = row[column.id];
includes/html/table/address-search.inc.php+0 −148 removed@@ -1,148 +0,0 @@ -<?php - -use LibreNMS\Util\IP; -use LibreNMS\Util\Mac; - -$param = []; -$where = ''; - -if (! Auth::user()->hasGlobalRead()) { - $device_ids = Permissions::devicesForUser()->toArray() ?: [0]; - $where .= ' AND `D`.`device_id` IN ' . dbGenPlaceholders(count($device_ids)); - $param = array_merge($param, $device_ids); -} - -$search_type = $vars['search_type'] ?? 'ipv4'; -$address = $vars['address'] ?? ''; -$prefix = ''; -$sort = trim((string) $sort); - -if (str_contains($address, '/')) { - [$address, $prefix] = explode('/', $address, 2); -} - -if ($search_type == 'ipv4') { - $sql = ' FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D'; - $sql .= ' WHERE I.port_id = A.port_id AND I.device_id = D.device_id ' . $where . ' '; - - if (! empty($address)) { - $sql .= ' AND ipv4_address LIKE ?'; - $param[] = "%$address%"; - } - - if (! empty($prefix)) { - $sql .= " AND ipv4_prefixlen='$prefix'"; - } - - if (str_contains($sort, 'address')) { - $order = explode(' ', $sort)[1]; - $sort = 'INET_ATON(ipv4_address) ' . $order; - } -} elseif ($search_type == 'ipv6') { - $sql = ' FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D'; - $sql .= ' WHERE I.port_id = A.port_id AND I.device_id = D.device_id ' . $where . ' '; - - if (! empty($address)) { - $sql .= ' AND (ipv6_address LIKE ? OR ipv6_compressed LIKE ?)'; - $param[] = "%$address%"; - $param[] = "%$address%"; - } - - if (! empty($prefix)) { - $sql .= " AND ipv6_prefixlen = '$prefix'"; - } - - if (str_contains($sort, 'address')) { - $order = explode(' ', $sort)[1]; - $sort = 'INET6_ATON(ipv6_address) ' . $order; - } -} elseif ($search_type == 'mac') { - $sql = ' FROM `ports` AS I, `devices` AS D'; - $sql .= " WHERE I.device_id = D.device_id $where "; - if (! empty($address)) { - $sql .= ' AND `ifPhysAddress` LIKE ?'; - $param[] = '%' . trim(str_replace([':', ' ', '-', '.', '0x'], '', $vars['address'])) . '%'; - } -}//end if -if (isset($vars['device_id']) && is_numeric($vars['device_id'])) { - $sql .= ' AND I.device_id = ?'; - $param[] = $vars['device_id']; -} - -if (isset($vars['interface']) && $vars['interface']) { - $sql .= ' AND I.ifDescr LIKE ?'; - $param[] = $vars['interface']; -} - -if ($search_type == 'ipv4') { - $count_sql = "SELECT COUNT(`ipv4_address_id`) $sql"; -} elseif ($search_type == 'ipv6') { - $count_sql = "SELECT COUNT(`ipv6_address_id`) $sql"; -} elseif ($search_type == 'mac') { - $count_sql = "SELECT COUNT(`port_id`) $sql"; -} - -$total = dbFetchCell($count_sql, $param); -if (empty($total)) { - $total = 0; -} - -if (! isset($sort) || empty($sort)) { - $sort = '`hostname` ASC'; -} - -$sql .= " ORDER BY $sort"; - -if (isset($current)) { - $limit_low = (($current * $rowCount) - $rowCount); - $limit_high = $rowCount; -} - -if ($rowCount != -1) { - $sql .= " LIMIT $limit_low,$limit_high"; -} - -$sql = "SELECT *,`I`.`ifDescr` AS `interface` $sql"; - -foreach (dbFetchRows($sql, $param) as $interface) { - $speed = \LibreNMS\Util\Number::formatSi($interface['ifSpeed'], 2, 0, 'bps'); - $type = \LibreNMS\Util\Rewrite::normalizeIfType($interface['ifType']); - - if ($search_type == 'ipv6') { - $address = (string) IP::parse($interface['ipv6_address'], true) . '/' . $interface['ipv6_prefixlen']; - } elseif ($search_type == 'mac') { - $mac = Mac::parse($interface['ifPhysAddress']); - $address = $mac->readable(); - $mac_oui = $mac->vendor(); - } else { - $address = (string) IP::parse($interface['ipv4_address'], true) . '/' . $interface['ipv4_prefixlen']; - } - - if (isset($interface['in_errors'], $interface['out_errors']) && ($interface['in_errors'] > 0 || $interface['out_errors'] > 0)) { - $error_img = generate_port_link($interface, "<i class='fa fa-flag fa-lg' style='color:red' aria-hidden='true'></i>", 'errors'); - } else { - $error_img = ''; - } - - if (port_permitted($interface['port_id'])) { - $interface = cleanPort($interface, $interface); - $row = [ - 'hostname' => generate_device_link($interface), - 'interface' => generate_port_link($interface) . ' ' . $error_img, - 'address' => $address, - 'description' => $interface['ifAlias'], - ]; - if ($search_type == 'mac') { - $row['mac_oui'] = $mac_oui; - } - $response[] = $row; - } -}//end foreach - -$output = [ - 'current' => $current, - 'rowCount' => $rowCount, - 'rows' => $response, - 'total' => $total, -]; -echo json_encode($output, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
routes/web.php+3 −0 modified@@ -287,6 +287,9 @@ // jquery bootgrid data controllers Route::prefix('table')->group(function (): void { + Route::any('address-search/ipv4', Table\Ipv4AddressSearchController::class)->name('search.ipv4'); + Route::any('address-search/ipv6', Table\Ipv6AddressSearchController::class)->name('search.ipv6'); + Route::any('address-search/mac', Table\MacSearchController::class)->name('search.mac'); Route::post('alert-schedule', Table\AlertScheduleController::class); Route::post('customers', Table\CustomersController::class); Route::post('diskio', Table\DiskioController::class)->name('table.diskio');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-79q9-wc6p-cf92ghsaADVISORY
- github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1ghsax_refsource_MISCWEB
- github.com/librenms/librenms/pull/18777ghsax_refsource_MISCWEB
- github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.