cbcvebase.
CVE-2026-26990
published 2026-02-20

CVE-2026-26990: LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.05%
89.4th percentile
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
librenmslibrenms< 26.2.026.2.0
librenmslibrenms>= 0 < 26.2.026.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable file is address-search.inc.php; monitor HTTP requests targeting this endpoint with crafted subnet prefix values in the 'address' parameter, which is concatenated directly into SQL queries without parameter binding
  • Look for time-based blind SQL injection patterns (e.g., SLEEP(), BENCHMARK() payloads) in the 'address' parameter of requests to address-search.inc.php in LibreNMS
  • Exploitation requires authentication; investigate any authenticated user activity targeting address-search.inc.php with anomalous address parameter values
  • ·A public exploit exists for this vulnerability, increasing the urgency of detection and patching.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.