CVE-2026-2728: Authenticated Stored Cross-Site Scripting (XSS) in LibreNMS RANCID Configuration

LibreNMS is an open-source network monitoring system that provides extensive device management capabilities, including integration with external configuration backup tools like RANCID. The RANCID integration allows network administrators to view device configuration histories directly from the LibreNMS web interface. The system retrieves the RANCID repository URL from the global configuration and embeds it into the DOM to render a clickable link for users.

The vulnerability, identified as CVE-2026-2728, resides in the showconfig page component responsible for rendering this repository link. The application fails to strictly neutralize the user-supplied repository URL before concatenating it into the href attribute of an anchor tag. This deficiency introduces a Stored Cross-Site Scripting (XSS) condition, classified under CWE-79.

Because the vulnerable configuration setting is restricted to administrative users, the attack requires high privileges to execute. The primary attack vector involves an attacker compromising or misusing a lower-tier administrative account to plant a malicious payload. The payload triggers when a separate administrator accesses the device configuration view, executing the injected script within their authenticated session.

The root cause of CVE-2026-2728 lies in the implementation of the showconfig.inc.php script, specifically in how it constructs the HTML output for the Git repository link. The application retrieves the rancid_repo_url variable from the configuration store and applies the htmlspecialchars() function before concatenation. The intended security control is to escape special characters to prevent HTML injection.

Despite the use of htmlspecialchars(), the vulnerability persists due to the specific context of the string concatenation and attribute generation. The structure of the surrounding HTML output enables an attacker to bypass the intended sanitization. The attacker crafts a payload that successfully closes the href attribute and introduces new DOM elements and event handlers.

The application relies on implicit attribute bounding rather than strict URL validation or proper DOM creation libraries. The application does not verify that the configuration value is a valid, safe URL scheme (such as restricting it to http:// or https://). Consequently, the lack of robust input validation during the configuration save phase combined with contextual output rendering flaws creates the execution primitive.

The vulnerability manifests in includes/html/pages/device/showconfig.inc.php. The application checks if the rancid_repo_url is set and proceeds to build an anchor link for users to browse the repository. The vulnerable code executes direct string concatenation inline with the HTML echo statement.

// Vulnerable Code Snippet
print_optionbar_start('', '');
echo is_null(LibrenmsConfig::get('rancid_repo_url')) ? 'Git repository non-browsable' : '<a href="' . htmlspecialchars(LibrenmsConfig::get('rancid_repo_url')) . '/?a=blob;hb=HEAD;p=' . basename((string) $rancid_path) . ';f=' . $rancid_file . '">Git repository</a>';
print_optionbar_end();

The attacker-controlled input is passed through htmlspecialchars(). However, the attacker supplies a payload explicitly designed to break out of the HTML attribute context: "><img/src/onerror=alert(1)><a x=". When this value is processed and concatenated into the href parameter, it manipulates the resulting DOM structure.

The patched versions introduce stricter input validation and employ proper URL encoding techniques for configuration variables intended for use as uniform resource locators. The fix ensures that characters required to break out of the attribute structure are neutralized entirely, preventing the injection of unauthorized tags such as the malicious <img> element used in the proof-of-concept.

Exploiting CVE-2026-2728 requires satisfying several specific preconditions. The attacker must authenticate with administrative privileges and ensure that RANCID integration is actively configured within LibreNMS. The integration requires the rancid_repo_type to be set to git-bare. Furthermore, the server must host a valid Git repository containing files at the configured path, as LibreNMS validates the repository's existence using git ls-tree before rendering the vulnerable link.

The attacker begins by navigating to the RANCID Integration panel located at Settings -> External. The attacker configures a valid local repository path, such as /opt/librenms/rancid/repo.git. The attacker then injects the XSS payload "><img/src/onerror=alert(1)><a x=" directly into the "RANCID Repository URL" field and saves the configuration.

The exploitation chain concludes when another user, typically a targeted administrator, navigates to the "Show Config" tab for any device associated with the modified RANCID configuration. The browser parses the manipulated HTML structure, attempts to load the invalid image source, and immediately executes the JavaScript defined in the onerror handler within the victim's session.

The successful exploitation of CVE-2026-2728 grants the attacker arbitrary JavaScript execution capabilities within the context of the victim's authenticated session. Because the payload triggers on an administrative interface, the victim is highly likely to possess elevated privileges. This execution primitive violates the integrity and confidentiality of the targeted user session.

An attacker can weaponize the JavaScript payload to perform unauthorized actions on behalf of the victim. These actions include modifying system configurations, adding backdoors, creating new administrative accounts, or harvesting sensitive data displayed within the application. The script can also interact with the LibreNMS API seamlessly by leveraging the victim's existing session tokens and cookies.

The vulnerability holds a CVSS v3.1 base score of 4.8. The score reflects the required high privileges (PR:H) and necessary user interaction (UI:R), which reduce the base exploitability. The EPSS score is 0.00004, indicating an extremely low probability of widespread exploitation in the wild, largely due to the restrictive authentication prerequisites.

The primary remediation for CVE-2026-2728 is to upgrade LibreNMS to version 26.3.0 or a subsequent release. The maintainers introduced patches that implement rigorous sanitization for external configuration parameters before they are rendered in the HTML context. Administrators should apply the update during the next available maintenance window to eliminate the vulnerability.

Organizations that cannot immediately apply the patch can implement configuration-based mitigations. The most effective interim solution is to disable the RANCID integration completely if the functionality is not actively utilized for operational tasks. Disabling the integration prevents the application from executing the vulnerable code path that generates the repository link.

Security teams should actively audit the administrative user base and adhere to the principle of least privilege. Monitor system logs for unauthorized or suspicious modifications to the RANCID Integration settings. Implementing robust egress filtering and Content Security Policy (CSP) headers can further reduce the impact of successful XSS injections by preventing data exfiltration.