CVE-2026-26988

CRITICAL LAB

LibreNMS < 26.2.0 - SQL Injection via IPv6 Address Search in ajax_table.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26988. PoCs published by XiaomingX, exploitintel, mbanyamer.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation. This issue has been fixed in version 26.2.0.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26988

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: Target WordPress URL · Path to quiz page · Vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-26988

This repository contains a functional exploit PoC for CVE-2026-26988, a critical SQL injection vulnerability in LibreNMS versions ≤ 25.12.0. The exploit targets the `ajax_table.php` endpoint, leveraging improper sanitization of the CIDR prefix in IPv4/IPv6 address search requests to inject arbitrary SQL queries.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: LibreNMS ≤ 25.12.0
Auth required
Prerequisites: authenticated session · access to `/ajax_table.php` endpoint
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec WORKING POC
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2026-26988-LibreNMS-SQLi

This repository contains a functional Python-based proof-of-concept exploit for CVE-2026-26988, an unauthenticated SQL injection vulnerability in LibreNMS. The exploit targets the `ajax_table.php` endpoint via the `ipv6_prefixlen` parameter, which is directly concatenated into an SQL query without proper escaping.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: LibreNMS <= 25.12.0
No auth needed
Prerequisites: Network access to the LibreNMS web interface · Python 3.x with `requests` library
devstral-2 · analyzed Feb 20, 2026 Full analysis →

References (3)

Core 3

Related Analysis

Scores

CVSS v3 9.1
EPSS 0.0000
EPSS Percentile 0.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

EIP LAB Lab screenshot
patched docker pull ghcr.io/exploitintel/cve-2026-26988-patched:latest

Details

CWE
CWE-89
Status published
Products (1)
librenms/librenms < 26.2.0
Published Feb 20, 2026
Tracked Since Feb 20, 2026