Moderate severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026
LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()
CVE-2026-27016
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | >= 24.10.0, < 26.2.0 | 26.2.0 |
Affected products
1Patches
11 file changed · +1 −1
includes/html/forms/customoid.inc.php+1 −1 modified@@ -18,7 +18,7 @@ $name = strip_tags((string) $_POST['name']); $oid = strip_tags((string) $_POST['oid']); $datatype = strip_tags((string) $_POST['datatype']); -$unit = $_POST['unit']; +$unit = strip_tags((string) $_POST['unit']); $limit = $_POST['limit']; $limit_warn = $_POST['limit_warn']; $limit_low = $_POST['limit_low'];
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fqx6-693c-f55gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27016ghsaADVISORY
- github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335ghsax_refsource_MISCWEB
- github.com/librenms/librenms/pull/19040ghsax_refsource_MISCWEB
- github.com/librenms/librenms/releases/tag/26.2.0ghsax_refsource_MISCWEB
- github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.