{"uuid": "1e549cd8-1cf8-44de-87dd-3ec208dfcbbc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-2728", "type": "seen", "source": "https://gist.github.com/alon710/655cf6dd4f9ab27164c77a1260f54a30", "content": "# CVE-2026-2728: CVE-2026-2728: Authenticated Stored Cross-Site Scripting (XSS) in LibreNMS RANCID Configuration\n\n> **CVSS Score:** 4.8\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-2728\n\n## Summary\nLibreNMS versions prior to 26.3.0 contain an authenticated Stored Cross-Site Scripting (XSS) vulnerability within the RANCID integration settings. The flaw occurs during the generation of the RANCID configuration repository link on the `showconfig` page, where user-supplied input is improperly neutralized before being inserted into an HTML href attribute. An attacker with administrative privileges can execute arbitrary JavaScript in the browser context of other administrators who view the affected page.\n\n## TL;DR\nAn authenticated Stored XSS vulnerability in the LibreNMS `showconfig` page allows administrative users to inject malicious scripts via the RANCID repository URL setting. This script executes when other administrators view the device configuration page, potentially leading to session hijacking or privilege abuse.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 4.8\n- **EPSS Score**: 0.00004\n- **Impact**: High (Session Hijacking / Privilege Abuse)\n- **Exploit Status**: Proof of Concept Available\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- LibreNMS\n- **LibreNMS**: < 26.3.0 (Fixed in: `26.3.0`)\n\n## Mitigation\n\n- Upgrade to patched software version\n- Disable unused external integrations\n- Restrict administrative privileges\n- Monitor configuration changes\n\n**Remediation Steps:**\n1. Verify current LibreNMS version installed on the server.\n2. If the version is below 26.3.0, schedule a maintenance window.\n3. Back up the LibreNMS database and application files.\n4. Execute the standard LibreNMS upgrade script (e.g., `./daily.sh` or Git pull) to update to 26.3.0 or newer.\n5. Verify functionality of the `showconfig` page to ensure the RANCID repository URL generates correctly without executing injected scripts.\n\n## References\n\n- [NVD Vulnerability Detail - CVE-2026-2728](https://nvd.nist.gov/vuln/detail/CVE-2026-2728)\n- [CVE.org Record - CVE-2026-2728](https://www.cve.org/CVERecord?id=CVE-2026-2728)\n- [Project Black Technical Blog](https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#xss-on-showconfig-page-2630)\n- [LibreNMS GitHub Repository](https://github.com/librenms/librenms)\n- [LibreNMS 26.3.0 Release Notes](https://github.com/librenms/librenms/releases/tag/26.3.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-2728) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T17:10:50.000000Z"}