What is the CVSS score of CVE-2020-36947?

CVE-2020-36947 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Librenms are affected by CVE-2020-36947?

LibreNMS deployments are vulnerable to authenticated SQL injection attacks that could allow legitimate users to extract sensitive database information, including credentials and network configuration…

Is there a public PoC exploit available for CVE-2020-36947?

Yes, a public proof-of-concept exploit is available for CVE-2020-36947. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2020-36947?

Within 24 hours: Audit access logs for LibreNMS MAC accounting graph endpoints and identify all user accounts with access. Within 7 days: Implement network segmentation to restrict LibreNMS access to authorized administrators only, and disable MAC accounting features if not actively used. Within 30 days: Migrate to an alternative network monitoring solution, establish a vendor communication channel for security updates, or continuously monitor for available patches and deploy immediately upon release.

Librenms CVE-2020-36947

HIGH

SQL Injection (CWE-89)

2026-01-27 disclosure@vulncheck.com

GHSA-qp2j-v5jg-hg68

SQLi Librenms

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 02, 2026 - 19:48 vuln.today

Public exploit code

CVE Published

Jan 27, 2026 - 16:16 nvd

HIGH 7.1

DescriptionCVE.org

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection.

AnalysisAI

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. [CVSS 7.1 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects the MAC accounting graph component of Librenms. LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2020-36947 vulnerability details – vuln.today

Back