LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection.
References
| Link | Resource |
|---|---|
| https://community.librenms.org/ | Product |
| https://github.com/librenms/librenms | Product |
| https://www.exploit-db.com/exploits/49246 | Exploit Third Party Advisory VDB Entry |
| https://www.librenms.org | Product |
| https://www.vulncheck.com/advisories/librenms-mac-accounting-graph-authenticated-sql-injection | Third Party Advisory |
| https://community.librenms.org/ | Product |
Configurations
History
02 Feb 2026, 19:48
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://community.librenms.org/ - Product | |
| References | () https://github.com/librenms/librenms - Product | |
| References | () https://www.exploit-db.com/exploits/49246 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.librenms.org - Product | |
| References | () https://www.vulncheck.com/advisories/librenms-mac-accounting-graph-authenticated-sql-injection - Third Party Advisory | |
| First Time |
Librenms librenms
Librenms |
|
| CPE | cpe:2.3:a:librenms:librenms:1.46:*:*:*:*:*:*:* |
27 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://community.librenms.org/ - |
27 Jan 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-27 16:16
Updated : 2026-02-02 19:48
NVD link : CVE-2020-36947
Mitre link : CVE-2020-36947
CVE.ORG link : CVE-2020-36947
JSON object : View
Products Affected
librenms
- librenms
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')