SQL injection in LibreNMS - CVE-2024-32461
Published: April 20, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify database contents.
The vulnerability exists due to SQL injection in librenms/includes/html/pages/search/packages.inc.php when handling POST requests to /search/search=packages. A remote user can send a specially crafted package parameter to disclose sensitive information and modify database contents.
The issue is time-based and can be used to extract database data such as administrator credentials.