In LibreNMS versions 25.12.0 and below a critical severity vulnerability CVE-2026-26988 was detected. This vulnerability allows authenticated attackers to perform SQL Injection via the ajax_table.php endpoint by manipulating the IPv6 address prefix, potentially leading to unauthorized data access or database manipulation. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26988.
Read more MonitoringIn Jenkins versions 2.483 through 2.550, and LTS versions 2.492.1 through 2.541.1 a high severity vulnerability CVE-2026-27099 was detected. This vulnerability allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts through the “Mark temporarily offline” offline cause description, which is not properly escaped before being stored and displayed. To address this issue, users should upgrade Jenkins to versions 2.551 or 2.541.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27099.
Read more Developer ToolsIn LibreNMS versions 24.10.0 through 26.1.1 a medium severity vulnerability CVE-2026-27016 was detected. This vulnerability allows attackers to inject malicious scripts through the Custom OID unit parameter due to missing strip_tags() sanitization. The unsanitized input is stored in the database and rendered without proper HTML escaping, allowing stored cross-site scripting (XSS) attacks when the affected data is viewed. To address this issue, users should upgrade LibreNMS to version 26.2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27016.
Read more MonitoringIn LibreNMS versions 26.1.1 and below a medium severity vulnerability CVE-2026-26992 was detected. This vulnerability allows attackers with administrative privileges to inject and store malicious scripts through the unsanitized port group name parameter, which may execute when viewed by other users, potentially compromising their session or browser context. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26992.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a high severity vulnerability CVE-2026-26990 was detected. This vulnerability allows authenticated users to perform time-based blind SQL injection via the `address` parameter in `address-search.inc.php`, enabling attackers to infer database information by manipulating query logic and observing conditional response times. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26990.
Read more MonitoringIn LibreNMS versions 25.12.0 and below a medium severity vulnerability CVE-2026-26989 was detected. This vulnerability allows attackers with administrative privileges to perform Stored Cross-Site Scripting (XSS) in the Alert Rules workflow, enabling execution of malicious scripts in the browser of any user who accesses the Alert Rules page. To address this issue, users should upgrade LibreNMS to version 26.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26989.
Read more MonitoringIn Jenkins versions 2.550 and earlier, including LTS 2.541.1 and earlier a medium severity vulnerability CVE-2026-27100 was detected. This vulnerability allows attackers with Item/Build and Item/Configure permissions to submit Run Parameter values referencing builds they do not have access to, thereby disclosing information about the existence of jobs, builds, and build display names. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27100.
Read more Newsflash Data AnalyticsIn Graylog version 2.2.3 a medium severity vulnerability CVE-2026-1438 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/nodes/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1438.
Read more Data AnalyticsIn Graylog version 2.2.3, a medium severity vulnerability CVE-2026-1437 was detected. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in a victim’s browser via a reflected Cross-Site Scripting (XSS) flaw in the Web Interface console due to improper sanitization and escaping of URL segments in the ‘/system/authentication/users/edit/’ endpoint. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1437.
Read more Data Analytics