Our news and updates

In LibreNMS versions 24.10.0 through 26.1.1 a medium severity vulnerability CVE-2026-27016 was detected. This vulnerability allows attackers to inject malicious scripts through the Custom OID unit parameter due to missing strip_tags() sanitization. The unsanitized input is stored in the database and rendered without proper HTML escaping, allowing stored cross-site scripting (XSS) attacks when the affected data is viewed. To address this issue, users should upgrade LibreNMS to version 26.2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27016.

In LibreNMS versions 26.1.1 and below a medium severity vulnerability CVE-2026-26992 was detected. This vulnerability allows attackers with administrative privileges to inject and store malicious scripts through the unsanitized port group name parameter, which may execute when viewed by other users, potentially compromising their session or browser context. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26992.

In LibreNMS versions 25.12.0 and below a high severity vulnerability CVE-2026-26990 was detected. This vulnerability allows authenticated users to perform time-based blind SQL injection via the `address` parameter in `address-search.inc.php`, enabling attackers to infer database information by manipulating query logic and observing conditional response times. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26990.

In LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26989 was detected. This vulnerability allows attackers with administrative privileges to perform Stored Cross-Site Scripting (XSS) in the Alert Rules workflow, enabling execution of malicious scripts in the browser of any user who accesses the Alert Rules page. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26989.

In Jenkins versions 2.550 and earlier, including LTS 2.541.1 and earlier a medium severity vulnerability CVE-2026-27100 was detected. This vulnerability allows attackers with Item/Build and Item/Configure permissions to submit Run Parameter values referencing builds they do not have access to, thereby disclosing information about the existence of jobs, builds, and build display names. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27100.

In Graylog version 2.2.3 a medium severity vulnerability CVE-2026-1438 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/nodes/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1438.

In Graylog version 2.2.3, a medium severity vulnerability CVE-2026-1437 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/authentication/users/edit/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1437.

In Graylog version 2.2.3 a high severity vulnerability CVE-2026-1436 was detected. This vulnerability allows authenticated users to access other users’ profiles without proper authorization due to an Insecure Direct Object Reference (IDOR) flaw in the API when modifying the user ID in the URL. Exploitation of this issue may expose sensitive information such as names, email addresses, internal identifiers, and last activity. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1436.

In Graylog version 2.2.3 a critical severity vulnerability CVE-2026-1435 was detected. This vulnerability allows an attacker to reuse previously issued session identifiers because the application does not properly invalidate old sessions after new logins. Exploitation of this issue may enable unauthorized access to the application, allowing interaction with the API or web interface and potential compromise of affected accounts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1435.