CVSS Score: 9.1 Published: 2026-02-20 Full Report: https://cvereports.com/reports/CVE-2026-26988
LibreNMS versions up to 25.12.0 are vulnerable to an unauthenticated SQL injection in the address search functionality. The flaw allows remote attackers to execute arbitrary database queries via the ajax_table.php endpoint.
Unauthenticated SQL injection in LibreNMS IPv6 search allows arbitrary database compromise. Fixed in version 26.2.0 by migrating to parameterized Laravel controllers.
- CWE ID: CWE-89
- Attack Vector: Network
- CVSS v3.1: 9.1
- EPSS Score: 0.00002
- Impact: Database Compromise / Data Exfiltration
- Exploit Status: Public PoC Available
- KEV Status: Not Listed
- LibreNMS <= 25.12.0
- LibreNMS: <= 25.12.0 (Fixed in:
26.2.0)
- Upgrade LibreNMS to version 26.2.0 or later.
- Restrict access to the LibreNMS web interface to trusted internal IP addresses or VPN subnets.
- Implement WAF rules to detect and block SQL injection attempts targeting the ajax_table.php endpoint.
Remediation Steps:
- Log into the LibreNMS application server.
- Run the daily.sh update script:
./daily.shto fetch the latest application updates. - Verify the installed version is 26.2.0 or greater by checking the web interface or running
./validate.php. - Review access logs for POST requests to ajax_table.php containing suspicious SQL syntax in the 'address' parameter to identify potential historical compromises.
- GitHub Security Advisory (GHSA-h3rv-q4rq-pqcv)
- NVD Entry (CVE-2026-26988)
- CVE.org Record
- Wiz Vulnerability Database - CVE-2026-26988
- SentinelOne Vulnerability Database - LibreNMS Analysis
Generated by CVEReports - Automated Vulnerability Intelligence