CVE-2026-26988
Published: 20 February 2026
Summary
CVE-2026-26988 is a critical-severity SQL Injection (CWE-89) vulnerability in Librenms Librenms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user inputs like the IPv6 address parameter to prevent SQL injection in the ajax_table.php endpoint.
Mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching to version 26.2.0.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2026-26988 and subsequent remediation to mitigate exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web endpoint (ajax_table.php) directly enables initial access via exploitation of a public-facing application (T1190).
NVD Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address…
more
parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.
Deeper analysisAI
LibreNMS, an auto-discovering PHP/MySQL/SNMP-based network monitoring tool, versions 25.12.0 and below are affected by CVE-2026-26988, an SQL injection vulnerability (CWE-89) in the ajax_table.php endpoint. The flaw occurs because the application fails to properly sanitize or parameterize user input during IPv6 address searches. Specifically, the address parameter is split into an address and prefix, with the prefix portion directly concatenated into the SQL query string without validation, enabling arbitrary SQL command injection. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. By supplying a specially crafted IPv6 address in the affected endpoint, the attacker can inject malicious SQL, potentially achieving unauthorized data access or database manipulation, with high impacts to confidentiality and integrity.
The vulnerability has been addressed in LibreNMS version 26.2.0. Mitigation details are available in the GitHub security advisory (https://github.com/librenms/librenms/security/advisories/GHSA-h3rv-q4rq-pqcv), the fixing pull request (https://github.com/librenms/librenms/pull/18777), and the commit (https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1).
Details
- CWE(s)