Cyber Resilience

CVE-2026-26988

CriticalPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0744 93.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26988 is a critical-severity SQL Injection (CWE-89) vulnerability in Librenms Librenms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

LibreNMS, an auto-discovering PHP/MySQL/SNMP-based network monitoring tool, versions 25.12.0 and below are affected by CVE-2026-26988, an SQL injection vulnerability (CWE-89) in the ajax_table.php endpoint. The flaw occurs because the application fails to properly sanitize or parameterize user input during IPv6 address searches. Specifically, the address parameter is split into an address and prefix, with the prefix portion directly concatenated into the SQL query string without validation, enabling arbitrary SQL command injection. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. By supplying a specially crafted IPv6 address in the affected endpoint, the attacker can inject malicious SQL, potentially achieving unauthorized data access or database manipulation, with high impacts to confidentiality and integrity.

The vulnerability has been addressed in LibreNMS version 26.2.0. Mitigation details are available in the GitHub security advisory (https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv), the fixing pull request (https://github.com/librenms/librenms/pull/18777), and the commit (https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address…

more

parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated SQL injection in public-facing web endpoint (ajax_table.php) directly enables initial access via exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26990Same product: Librenms Librenms
CVE-2020-36947Same product: Librenms Librenms
CVE-2026-6204Same product: Librenms Librenms
CVE-2024-51092Same product: Librenms Librenms
CVE-2012-10063Same product class: network monitoring / SIEM
CVE-2025-9428Same product class: network monitoring / SIEM
CVE-2021-47693Same product class: network monitoring / SIEM
CVE-2024-52606Same product class: network monitoring / SIEM
CVE-2025-40540Same product class: network monitoring / SIEM
CVE-2025-40553Same product class: network monitoring / SIEM

Affected Assets

librenms
librenms
≤ 26.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user inputs like the IPv6 address parameter to prevent SQL injection in the ajax_table.php endpoint.

prevent

Mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching to version 26.2.0.

preventdetect

Requires vulnerability scanning to identify SQL injection flaws like CVE-2026-26988 and subsequent remediation to mitigate exploitation.

References