In changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27645 was detected. This vulnerability allows an attacker to perform Reflected Cross-Site Scripting (XSS) via the RSS single-watch endpoint, where the UUID path parameter is reflected in the HTTP response without HTML escaping, leading to execution of arbitrary JavaScript in the user’s browser. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27645.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a critical severity vulnerability CVE-2026-26988 was detected. This vulnerability allows authenticated attackers to perform SQL Injection via the ajax_table.php endpoint by manipulating the IPv6 address prefix, potentially leading to unauthorized data access or database manipulation. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26988.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26987 was detected. This vulnerability allows attackers to perform Reflected Cross-Site Scripting (XSS) via the email field. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26987.
Read more MonitoringIn changedetection.io versions prior to 0.54.1 a medium severity vulnerability CVE-2026-27696 was detected. This vulnerability allows an authenticated user—or any user when no password is configured—to perform Server-Side Request Forgery (SSRF) via watch URLs, potentially exposing internal network resources and enabling data exfiltration. To address this issue, users should upgrade changedetection.io to version 0.54.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27696.
Read more MonitoringIn LibreNMS versions 24.10.0 through 26.1.1 a medium severity vulnerability CVE-2026-27016 was detected. This vulnerability allows attackers to inject malicious scripts through the Custom OID unit parameter due to missing strip_tags() sanitization. The unsanitized input is stored in the database and rendered without proper HTML escaping, allowing stored cross-site scripting (XSS) attacks when the affected data is viewed. To address this issue, users should upgrade LibreNMS to version 26.2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27016.
Read more MonitoringIn LibreNMS versions 26.1.1 and below a medium severity vulnerability CVE-2026-26992 was detected. This vulnerability allows attackers with administrative privileges to inject and store malicious scripts through the unsanitized port group name parameter, which may execute when viewed by other users, potentially compromising their session or browser context. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26992.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a high severity vulnerability CVE-2026-26990 was detected. This vulnerability allows authenticated users to perform time-based blind SQL injection via the `address` parameter in `address-search.inc.php`, enabling attackers to infer database information by manipulating query logic and observing conditional response times. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26990.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26989 was detected. This vulnerability allows attackers with administrative privileges to perform Stored Cross-Site Scripting (XSS) in the Alert Rules workflow, enabling execution of malicious scripts in the browser of any user who accesses the Alert Rules page. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26989.
Read more MonitoringIn changedetection.io versions prior to 0.53.2 a medium severity vulnerability CVE-2026-25527 was detected. This vulnerability allows unauthenticated attackers to read arbitrary local application files via a path traversal flaw in the `/static/<group>/<filename>` route, due to improper validation of the group parameter. To address this issue, users should upgrade changedetection.io to version 0.53.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25527.
Read more Monitoring