# Security Advisory

## LibreNMS NFSen Module - Local File Inclusion Vulnerability

### Advisory Information

- **Advisory ID:** LIBRE-2026-001
- **CVE ID:** CVE-2026-XXXXX (Pending)
- **Severity:** High
- **CVSS v3.1 Score:** 7.5 - 8.5
- **Tested Version:** 22.11.0-23-gd091788f2

### Vulnerability Summary

A path traversal vulnerability in the LibreNMS NFSen module allows authenticated attackers to include arbitrary PHP files from the server filesystem by manipulating the `nfsen` URL parameter.

### Technical Details

**Vulnerable Endpoint:**
```
/device/{id}/tab=netflow
```

**Vulnerable Parameter:**
```
nfsen
```

**Vulnerable Code Location:**
```
includes/html/pages/device/nfsen.inc.php (Lines 46-48)
```

**Attack Vector:**
```
GET /device/114/tab=netflow?nfsen=..%2f..%2f[target_file] HTTP/1.1
```

### CVSS v3.1 Vector

```
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
```

| Metric | Value |
|--------|-------|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | Low |
| Availability Impact | None |

### Mitigation

Until a patch is available:

1. Restrict access to NFSen/Netflow functionality
2. Implement WAF rules to block path traversal patterns
3. Monitor access logs for suspicious `nfsen` parameter values

### Vendor Response

[Pending vendor response]

### Acknowledgments

This vulnerability was discovered and responsibly disclosed by **Ömer Baran Parlak** ([@parlakbarann](https://github.com/parlakbarann)).