CVE-2026-27016

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The...

CVE-2026-27016 LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The...

CVE-2026-27016

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The...

CVE-2026-27016 LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The...

CVE-2026-27016 LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The...

CVE-2026-27016

LibreNMS (versions 24.10.0–26.1.1) contains a Stored XSS in the Custom OID unit field due to missing strip_tags() sanitization (unit is taken from POST without sanitization; other fields are sanitized). The unsanitized value is stored and rendered without HTML escaping in device graphs, enabling ...

CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

CVE-2026-26967

PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL...

LibreNMS 安全漏洞

LibreNMS is an open-source network monitoring system developed by the LibreNMS community, based on PHP and MySQL. This system features custom alerts, automatic discovery of networks, and automatic updates. There were security vulnerabilities in LibreNMS versions 24.10.0 to 26.1.1. These...

UBUNTU-CVE-2026-26203

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked...

SUSE CVE-2026-23124

In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndiscrouterdiscovery syzbot found that ndiscrouterdiscovery could read and write in6dev-ramtu without holding a lock 1 This looks fine, IFLAINET6RAMTU is best effort. Add READONCE/WRITEONCE to document...

Ubuntu 24.04 LTS : Linux kernel (Low Latency) vulnerabilities (USN-8052-1)

"The remote Ubuntu 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8052-1 advisory. It was discovered that improper initialization of CPU cache memory could allow a local attacker with hypervisor access to overwrite SEV-SNP guest memory...

filippo.io/edwards25519 安全漏洞

filippo.io/edwards25519 is a Go language library developed by Filippo Valsorda. Versions of filippo.io/edwards25519 prior to 1.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the MultiScalarMult method generating invalid results or undefined behavior when the recipient ...

CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

CVE-2026-25596 InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

CVE-2026-25596 InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

CVE-2026-25596 InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...

CVE-2026-25596

InvoicePlane 1.7.0 is affected by a Stored XSS vulnerability in the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. The issue is mitigated in version 1.7.1 ...

GHSA-FQX6-693C-F55G LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()

Summary The unit parameter in Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS. Details Vulnerable Input Processing...

LibreNMS has a Stored XSS in Custom OID - unit parameter missing strip_tags()

Summary The unit parameter in Custom OID functionality lacks striptags sanitization while other fields name, oid, datatype are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping, allowing Stored XSS. Details Vulnerable Input Processing...