CVE-2026-26990
- Source
- https://cve.org/CVERecord?id=CVE-2026-26990
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26990.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26990
- Aliases
- Published
- 2026-02-20T01:29:33.838Z
- Modified
- 2026-03-03T02:56:16.567983Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php
- Details
-
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26990.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26990.json
- https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1
- https://github.com/librenms/librenms/pull/18777
- https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92
- https://nvd.nist.gov/vuln/detail/CVE-2026-26990
Affected packages
Git / github.com/librenms/librenms
Affected ranges
- Type
- GIT
- Repo
- https://github.com/librenms/librenms
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1
1.*
1.19
1.20
1.21
1.25
1.26
1.27
1.28
1.29
1.30
1.30.01
1.31
1.31.01
1.31.02
1.31.03
1.32
1.33
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.42.01
1.43
1.44
1.45
1.46
1.47
1.48
1.48.1
1.49
1.50
1.51
1.52
1.53
1.53.1
1.54
1.55
1.56
1.57
1.58
1.58.1
1.59
1.60
1.61
1.62
1.63
1.64
1.64.1
1.65
1.66
1.67
1.68
1.69
1.70.0
1.70.1
Other
201505
201506
201507
201508
201509
201510
201511
201512
201601
201602
201603
201604
201605
201606
201607
201608
20160828
201609
21.*
21.1.0
21.10.0
21.11.0
21.12.0
21.12.1
21.2.0
21.3.0
21.4.0
21.5.0
21.5.1
21.6.0
21.7.0
21.8.0
21.9.0
22.*
22.1.0
22.10.0
22.11.0
22.12.0
22.2.0
22.2.1
22.3.0
22.4.0
22.5.0
22.6.0
22.7.0
22.8.0
22.9.0
23.*
23.1.0
23.10.0
23.11.0
23.2.0
23.4.0
23.4.1
23.5.0
23.6.0
23.7.0
23.8.0
23.8.1
23.8.2
23.9.0
23.9.1
24.*
24.1.0
24.10.0
24.10.1
24.11.0
24.12.0
24.2.0
24.3.0
24.4.0
24.4.1
24.5.0
24.6.0
24.7.0
24.8.0
24.9.0
24.9.1
25.*
25.1.0
25.10.0
25.11.0
25.12.0
25.2.0
25.3.0
25.4.0
25.5.0
25.6.0
25.7.0
25.8.0
25.9.0
26.*
26.1.0