CVE-2026-26988
published 2026-02-20CVE-2026-26988: LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the…
PriorityP267critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
7.44%
93.7th percentile
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | < 26.2.0 | 26.2.0 |
| librenms | librenms | >= 0 < 26.2.0 | 26.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the ajax_table.php endpoint for SQL injection patterns in the 'address' parameter, particularly in the prefix portion (after the '/' separator) of IPv6 address inputs ↗
- →Flag requests to ajax_table.php where the IPv6 prefix field contains SQL metacharacters or injection payloads (e.g., quotes, comment sequences, UNION/SELECT keywords) ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
ghsa·2026-02-18
CVE-2026-26988 [HIGH] CWE-89 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
### Summary
*SQL Injection in IPv6 Address Search functionality via `address` parameter**
A SQL injection vulnerability exists in the `ajax_table.php` endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the `address` parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.
### Details
The vulnerability is located in the logic that handles address searching when `search_type` is set to `ipv6`.
The application takes
OSV
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
osv·2026-02-18
CVE-2026-26988 [HIGH] LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream.
### Summary
*SQL Injection in IPv6 Address Search functionality via `address` parameter**
A SQL injection vulnerability exists in the `ajax_table.php` endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the `address` parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.
### Details
The vulnerability is located in the logic that handles address searching when `search_type` is set to `ipv6`.
The application takes
No detection rules found.
No public exploits indexed.
2026-02-20
Published