CVE-2026-2728 MEDIUM

CVE-2026-2728

Vendor Librenms

Product librenms

Weakness CWE-79 · XSS

Published April 13, 2026

Last update April 13, 2026

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.

Key dates

02Disclosure timeline

April 13, 2026 CVE published

April 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-2728 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2022-41336 CVE-2025-58231 WordPress Bitly plugin <= 2.8.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-1484 Booking for Appointments and Events Calendar – Amelia <= 1.0.98 - Reflected Cross-Site Scripting CVE-2025-23946 WordPress Enhanced YouTube Shortcode plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-24707 WordPress Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery plugin <= 2.7.7.24 - Reflected Cross Site Scripting (XSS) vulnerability