CVE-2026-26987 MEDIUM

CVE-2026-26987: LibreNMS affected by reflected XSS via email field

Vendor Librenms

Product librenms

Weakness CWE-79 · XSS

Published February 20, 2026

Last update February 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

February 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-26987

Related vulnerabilities

04Related CVE

CVE-2020-9734 Stored XSS in AEM Forms component CVE-2025-58001 WordPress Compact Archives plugin <= 4.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-46857 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2022-4695 Cross-site Scripting (XSS) - Stored in usememos/memos CVE-2025-0809 Link Fixer <= 3.4 - Unauthenticated Stored Cross-Site Scripting