CVE-2026-26990
published 2026-02-20CVE-2026-26990: LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.05%
89.4th percentile
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | < 26.2.0 | 26.2.0 |
| librenms | librenms | >= 0 < 26.2.0 | 26.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable file is address-search.inc.php; monitor HTTP requests targeting this endpoint with crafted subnet prefix values in the 'address' parameter, which is concatenated directly into SQL queries without parameter binding ↗
- →Look for time-based blind SQL injection patterns (e.g., SLEEP(), BENCHMARK() payloads) in the 'address' parameter of requests to address-search.inc.php in LibreNMS ↗
- →Exploitation requires authentication; investigate any authenticated user activity targeting address-search.inc.php with anomalous address parameter values ↗
- ·A public exploit exists for this vulnerability, increasing the urgency of detection and patching. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
osv·2026-02-18
CVE-2026-26990 [HIGH] LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
### Summary
A time-based blind SQL injection vulnerability exists in `address-search.inc.php` via the `address` parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses.
### Details
This vulnerability requires authentication and is exploitable by any authenticated user.
The vulnerable endpoint is at `/ajax_table.php` with the following request displaying the injection point.
```
POST /ajax_table.php HTTP/1.1
Host: 192.168.236.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.
GHSA
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
ghsa·2026-02-18
CVE-2026-26990 [HIGH] CWE-89 LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
### Summary
A time-based blind SQL injection vulnerability exists in `address-search.inc.php` via the `address` parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses.
### Details
This vulnerability requires authentication and is exploitable by any authenticated user.
The vulnerable endpoint is at `/ajax_table.php` with the following request displaying the injection point.
```
POST /ajax_table.php HTTP/1.1
Host: 192.168.236.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.
No detection rules found.
No public exploits indexed.
2026-02-20
Published