Nagios Xi

Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user.

Published: 2025-12-16T22:17:02.004Z
Updated: 2026-05-14T02:08:10.158Z

Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.

Published: 2025-10-30T21:39:43.482Z
Updated: 2025-11-17T18:21:51.502Z

Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system.

Published: 2025-10-30T21:42:44.052Z
Updated: 2026-05-14T02:08:09.418Z

Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system.

Published: 2025-10-30T21:30:19.179Z
Updated: 2025-11-17T18:21:51.157Z

Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.

Published: 2025-10-30T21:29:37.293Z
Updated: 2025-11-17T18:21:50.983Z

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.

Published: 2025-09-25T17:08:52.921Z
Updated: 2026-05-15T11:15:31.803Z

Nagios XI versions prior to 2024R1.4.2 configure some systemd unit files with permission sets that were too permissive. In particular, the nagios.service unit had executable permissions that were not required. Overly permissive permissions on service unit files can broaden local attack surface by enabling unintended execution behaviors or facilitating abuse of service operations when combined with other weaknesses.

Published: 2025-10-30T21:39:22.649Z
Updated: 2025-11-17T18:21:50.638Z

Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfile and bpi_configfile) allow an authenticated administrative user to cause the product to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor. When such files carry executable extensions and are served by the web application, arbitrary code may be executed in the context of the web application user. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain further control of the underlying host operating system.

Published: 2025-10-30T21:41:58.188Z
Updated: 2025-11-17T18:21:50.474Z

An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

Published: 2024-05-01T00:00:00.000Z
Updated: 2024-08-02T02:36:04.581Z

SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

Published: 2024-02-26T00:00:00.000Z
Updated: 2024-08-29T15:04:28.042Z

Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this vulnerability to execute actions on the underlying XI host outside the application's security scope. Successful exploitation may allow an administrator to obtain root privileges on the XI server.

Published: 2025-10-30T21:41:13.594Z
Updated: 2025-11-17T18:21:50.296Z

Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user.

Published: 2025-10-30T21:43:07.355Z
Updated: 2025-11-17T18:21:50.058Z

Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated links or responses, which may facilitate phishing of credentials, account recovery link hijacking, and web cache poisoning.

Published: 2025-10-30T21:38:42.351Z
Updated: 2025-11-17T18:21:49.793Z

Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user.

Published: 2025-10-30T21:37:28.667Z
Updated: 2025-11-17T18:21:49.431Z

Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration data or leverage insufficiently validated configuration settings to obtain elevated privileges on the Nagios XI system.

Published: 2025-10-30T21:40:51.523Z
Updated: 2025-11-17T18:21:49.174Z

Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service.

Published: 2025-10-30T21:42:19.225Z
Updated: 2025-11-17T18:21:48.995Z

Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host.

Published: 2025-10-30T21:30:39.691Z
Updated: 2025-11-17T18:21:48.806Z

Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:52:13.095Z
Updated: 2025-11-17T18:21:48.632Z

Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:51:02.400Z
Updated: 2025-11-17T18:21:48.461Z

Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems.

Published: 2025-10-30T21:28:50.777Z
Updated: 2025-11-17T18:14:56.864Z

Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.

Published: 2025-11-03T21:53:51.223Z
Updated: 2025-11-17T18:21:48.252Z

Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system.

Published: 2025-11-03T21:55:48.197Z
Updated: 2025-11-17T18:21:47.934Z

Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.

Published: 2025-10-30T21:44:26.053Z
Updated: 2025-11-17T18:21:47.755Z

Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts.

Published: 2025-10-30T21:29:55.745Z
Updated: 2025-11-17T18:21:47.489Z

Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account.

Published: 2025-10-30T21:29:17.240Z
Updated: 2025-11-17T18:21:47.324Z

Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors.

Published: 2025-10-30T21:43:55.640Z
Updated: 2025-11-17T18:21:47.166Z

Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim’s browser within the Nagios XI domain.

Published: 2025-10-31T12:35:56.137Z
Updated: 2025-11-17T18:21:46.964Z

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.

Published: 2025-08-28T15:49:46.119Z
Updated: 2026-05-15T11:14:34.659Z

Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:51:25.049Z
Updated: 2025-11-17T18:21:46.618Z

Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information.

Published: 2025-10-30T21:47:19.903Z
Updated: 2026-05-14T02:07:06.958Z

Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:52:58.088Z
Updated: 2026-05-14T02:07:06.100Z

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:52:33.775Z
Updated: 2025-11-17T18:21:46.100Z

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:49:27.209Z
Updated: 2025-11-17T18:21:45.860Z

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:50:39.771Z
Updated: 2025-11-17T18:21:45.677Z

Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions.

Published: 2025-10-30T21:47:42.470Z
Updated: 2025-11-17T18:21:45.268Z

A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows any authenticated user to execute arbitrary JavaScript code on behalf of other users, including the administrators.

Published: 2024-02-02T00:00:00.000Z
Updated: 2025-06-16T18:57:09.813Z

Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.

Published: 2023-12-14T00:00:00.000Z
Updated: 2025-05-22T17:59:06.792Z

Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

Published: 2023-12-14T00:00:00.000Z
Updated: 2024-08-28T14:17:11.557Z

Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

Published: 2024-10-14T00:00:00.000Z
Updated: 2025-03-13T14:42:51.888Z

A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.

Published: 2023-09-19T00:00:00.000Z
Updated: 2024-09-24T20:43:56.157Z

A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.

Published: 2023-09-19T00:00:00.000Z
Updated: 2024-09-24T20:38:15.397Z

A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials.

Published: 2023-09-19T00:00:00.000Z
Updated: 2024-09-24T20:39:19.860Z

A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

Published: 2023-09-19T00:00:00.000Z
Updated: 2024-09-25T14:26:23.515Z

Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:45:33.708Z
Updated: 2025-11-17T18:21:44.935Z

Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:46:15.817Z
Updated: 2025-11-17T18:21:44.766Z

Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:45:53.493Z
Updated: 2025-11-17T18:21:44.541Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.7 / Nagios XI 5.8.9 contains a cross-site scripting (XSS) vulnerability via the Audit Log page search input. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:34:05.777Z
Updated: 2025-11-17T18:21:44.381Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.6 / Nagios XI 5.8.8 contains a cross-site scripting (XSS) vulnerability via the search and deletion interfaces. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:36:08.674Z
Updated: 2025-11-17T18:21:44.197Z

Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.

Published: 2022-09-07T21:14:37.000Z
Updated: 2024-08-03T10:45:53.086Z

Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.

Published: 2022-09-07T21:14:40.000Z
Updated: 2024-08-03T10:45:53.047Z

In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.

Published: 2022-06-29T00:58:52.000Z
Updated: 2024-08-03T06:17:54.505Z

In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks.

Published: 2022-06-29T00:58:46.000Z
Updated: 2024-08-03T06:17:54.507Z

In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.

Published: 2022-06-29T00:58:40.000Z
Updated: 2024-08-03T06:17:54.489Z

In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.

Published: 2022-06-29T00:58:34.000Z
Updated: 2024-08-03T06:17:54.570Z

Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.

Published: 2025-10-30T21:39:02.693Z
Updated: 2025-11-17T18:21:43.914Z

Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:48:05.631Z
Updated: 2025-11-17T18:21:43.598Z

Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-11-03T21:56:10.803Z
Updated: 2025-11-17T18:21:43.378Z

Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:57:03.111Z
Updated: 2025-11-17T18:21:43.156Z

Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:49:49.447Z
Updated: 2025-11-17T18:21:42.882Z

Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:54:48.701Z
Updated: 2025-11-17T18:21:42.710Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:32:43.970Z
Updated: 2025-11-17T18:21:42.541Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.

Published: 2025-10-30T21:33:18.775Z
Updated: 2025-11-17T18:21:42.360Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities via the Services page affecting the config_name and service_description fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:36:28.131Z
Updated: 2025-11-17T18:21:42.163Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities in Overlay modals. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:35:22.207Z
Updated: 2025-11-17T18:21:41.967Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.0 / Nagios XI 5.8.0 contais a cross-site scripting (XSS) vulnerability in the Templates pages, specifically in the UI logic that renders and handles the Active/Actions buttons. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:36:50.105Z
Updated: 2025-11-17T18:21:41.799Z

Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.

Published: 2021-06-07T21:05:03.000Z
Updated: 2024-08-03T16:53:17.204Z

Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.

Published: 2021-02-25T13:32:53.000Z
Updated: 2024-08-03T16:53:16.523Z

Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.

Published: 2021-01-22T03:56:03.000Z
Updated: 2024-08-03T16:45:51.395Z

In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.

Published: 2021-09-15T13:20:49.000Z
Updated: 2024-08-04T01:37:15.823Z

An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

Published: 2021-08-13T11:29:41.000Z
Updated: 2024-08-04T01:16:03.706Z

Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

Published: 2021-08-13T11:29:50.000Z
Updated: 2024-08-04T01:16:04.040Z

Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.

Published: 2021-08-13T11:30:17.000Z
Updated: 2024-08-04T01:16:04.046Z

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

Published: 2021-08-13T11:30:24.000Z
Updated: 2024-08-04T01:16:03.219Z

Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

Published: 2021-08-13T11:30:32.000Z
Updated: 2024-08-04T01:16:04.118Z

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

Published: 2021-08-13T11:30:39.000Z
Updated: 2024-08-04T01:16:04.034Z

Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.

Published: 2021-08-13T11:32:09.000Z
Updated: 2024-08-04T01:16:03.995Z

A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

Published: 2021-08-13T11:32:28.000Z
Updated: 2024-08-04T01:16:04.047Z

Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.

Published: 2021-10-05T11:59:50.000Z
Updated: 2024-08-04T01:16:03.944Z

Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

Published: 2021-09-28T16:54:31.000Z
Updated: 2024-08-04T00:54:51.522Z

Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

Published: 2021-09-28T16:53:34.000Z
Updated: 2024-08-04T00:54:51.427Z

Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

Published: 2021-09-28T16:52:09.000Z
Updated: 2024-08-04T00:54:51.470Z

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

Published: 2021-09-28T16:50:25.000Z
Updated: 2024-08-04T00:54:51.419Z

The general user interface in Nagios XI versions prior to 5.8.4 is vulnerable to authenticated reflected cross-site scripting. An authenticated victim, who accesses a specially crafted malicious URL, would unknowingly execute the attached payload.

Published: 2021-10-14T14:57:17.000Z
Updated: 2024-08-03T23:42:20.281Z

The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.

Published: 2021-10-14T14:55:39.000Z
Updated: 2024-08-03T23:42:20.048Z

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Published: 2021-02-15T00:00:00.000Z
Updated: 2025-10-21T23:35:26.568Z

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Published: 2021-02-15T00:00:00.000Z
Updated: 2025-10-21T23:35:27.009Z

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Published: 2021-02-15T00:00:00.000Z
Updated: 2025-10-21T23:35:27.410Z

Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

Published: 2020-10-20T21:22:00.000Z
Updated: 2024-08-04T08:39:25.932Z

Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.

Published: 2025-10-30T21:45:10.468Z
Updated: 2025-11-17T18:21:41.647Z

Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The script performed profile retrieval and initialization routines using insecure file/command handling and insufficient validation of attacker-controlled inputs, and in some deployments executed with elevated privileges. A local attacker with low-level access could exploit these weaknesses to cause the script to execute arbitrary commands or modify privileged files, resulting in privilege escalation.

Published: 2025-10-30T21:40:03.387Z
Updated: 2025-11-17T18:21:41.468Z

Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF download/export functionality. User-supplied values used in the PDF generation pipeline or the wrapper that invokes offline/pdf helper utilities were insufficiently validated or improperly escaped, allowing an authenticated attacker who can trigger PDF exports to inject shell metacharacters or arguments.

Published: 2025-10-30T21:37:09.717Z
Updated: 2025-11-17T18:21:41.306Z

Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:53:41.720Z
Updated: 2025-11-17T18:21:41.113Z

Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:50:14.113Z
Updated: 2025-11-17T18:21:40.923Z

Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:51:46.256Z
Updated: 2025-11-17T18:21:40.687Z

Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.

Published: 2025-10-30T21:46:58.792Z
Updated: 2025-11-17T18:21:40.512Z

Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF.

Published: 2025-10-30T21:46:37.314Z
Updated: 2025-11-17T18:21:40.292Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.8 / Nagios XI 5.7.5 contains multiple cross-site scripting (XSS) vulnerabilities in the overlay UI elements and the Notification/Check Period pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:35:47.361Z
Updated: 2025-11-17T18:21:40.109Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple cross-site scripting (XSS) vulnerabilities in the object edit pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:34:57.698Z
Updated: 2025-11-17T18:21:39.921Z

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database.

Published: 2025-10-30T21:33:40.529Z
Updated: 2025-11-17T18:21:39.757Z

Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database.

Published: 2025-10-30T21:31:41.981Z
Updated: 2025-11-24T20:28:28.611Z

Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and may be leveraged to execute commands on the underlying XI host, modify system configuration, or fully compromise the host.

Published: 2025-10-30T21:30:59.762Z
Updated: 2025-11-17T18:21:39.407Z

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

Published: 2021-01-13T20:19:50.000Z
Updated: 2024-08-04T17:09:14.253Z

Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.

Published: 2021-05-24T12:44:15.000Z
Updated: 2024-08-04T16:41:00.310Z

Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.

Published: 2021-05-24T12:43:53.000Z
Updated: 2024-08-04T16:40:59.974Z

Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.

Published: 2021-05-24T12:43:22.000Z
Updated: 2024-08-04T16:40:59.950Z

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

Published: 2020-11-16T02:28:38.000Z
Updated: 2024-08-04T16:40:59.934Z

Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).

Published: 2020-11-16T16:57:54.000Z
Updated: 2024-08-04T16:25:44.115Z

Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).

Published: 2020-11-16T16:57:04.000Z
Updated: 2024-08-04T16:25:44.121Z

Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).

Published: 2020-11-16T16:56:02.000Z
Updated: 2024-08-04T16:25:44.180Z

Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field).

Published: 2020-11-16T16:54:37.000Z
Updated: 2024-08-04T16:25:44.109Z

An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.

Published: 2020-09-09T20:29:24.000Z
Updated: 2024-08-04T13:30:23.225Z

Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

Published: 2020-07-22T21:28:59.000Z
Updated: 2024-08-04T13:30:23.337Z

In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.

Published: 2020-07-22T21:29:11.000Z
Updated: 2024-08-04T13:30:22.684Z

Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

Published: 2019-03-28T19:14:26.000Z
Updated: 2024-08-04T21:38:46.583Z

Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.

Published: 2019-03-28T19:10:01.000Z
Updated: 2024-08-04T21:38:46.619Z

SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.

Published: 2019-03-28T18:59:09.000Z
Updated: 2024-08-04T21:38:46.523Z

Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.

Published: 2019-03-28T16:43:13.000Z
Updated: 2024-08-04T21:38:46.565Z

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.

Published: 2019-09-05T16:50:38.000Z
Updated: 2025-10-21T23:45:31.401Z

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

Published: 2018-04-18T00:00:00.000Z
Updated: 2024-08-05T07:02:26.073Z

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

Published: 2018-04-18T00:00:00.000Z
Updated: 2024-08-05T07:02:26.036Z

SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

Published: 2018-04-18T00:00:00.000Z
Updated: 2024-08-05T07:02:26.100Z

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Published: 2018-04-18T00:00:00.000Z
Updated: 2024-08-05T07:02:26.040Z

Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing component. MRTG-related processes/scripts executed with excessive privileges, allowing a local attacker with limited system access to abuse file/command execution paths or writable resources to gain elevated privileges.

Published: 2025-10-30T21:40:26.892Z
Updated: 2025-11-17T18:21:39.196Z

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the privileges of the application service.

Published: 2025-10-30T21:37:48.530Z
Updated: 2025-11-17T18:21:39.028Z

Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:56:43.433Z
Updated: 2025-11-17T18:21:38.867Z

An issue was discovered in Nagios XI before 5.5.8. The rss_url parameter of rss_dashlet/magpierss/scripts/magpie_slashbox.php is not filtered, resulting in an XSS vulnerability.

Published: 2018-12-17T15:00:00.000Z
Updated: 2024-08-05T11:51:19.271Z

An issue was discovered in Nagios XI before 5.5.8. The url parameter of rss_dashlet/magpierss/scripts/magpie_simple.php is not filtered, resulting in an XSS vulnerability.

Published: 2018-12-17T15:00:00.000Z
Updated: 2024-08-05T11:51:19.374Z

An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

Published: 2019-06-19T17:23:25.000Z
Updated: 2024-08-05T10:39:59.575Z

Nagios XI before 5.5.4 has XSS in the auto login admin management page.

Published: 2019-07-10T13:59:13.000Z
Updated: 2024-08-05T10:39:59.587Z

A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.

Published: 2019-06-19T17:25:16.000Z
Updated: 2024-08-05T10:39:59.554Z

Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-16T20:01:50.609Z

Nagios XI 5.5.6 allows persistent cross site scripting from remote authenticated attackers via the stored email address in admin/users.php.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-17T01:56:44.865Z

Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-16T19:09:54.638Z

Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-17T01:37:03.880Z

Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-17T00:51:15.249Z

Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-17T02:11:03.837Z

Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

Published: 2018-11-14T18:00:00.000Z
Updated: 2024-09-17T01:55:50.961Z

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.

Published: 2018-05-16T13:00:00.000Z
Updated: 2024-08-05T07:46:46.687Z

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.

Published: 2018-05-16T13:00:00.000Z
Updated: 2024-08-05T07:46:47.165Z

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.

Published: 2018-05-16T13:00:00.000Z
Updated: 2024-08-05T07:46:46.459Z

A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.

Published: 2018-05-16T13:00:00.000Z
Updated: 2024-08-05T07:46:46.598Z

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:54:25.746Z
Updated: 2025-11-17T18:21:38.698Z

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:54:04.092Z
Updated: 2025-11-17T18:21:38.506Z

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:55:32.598Z
Updated: 2025-11-17T18:21:38.334Z

Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

Published: 2025-10-30T21:44:49.116Z
Updated: 2025-11-17T18:21:38.140Z

SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.

Published: 2013-11-26T16:00:00.000Z
Updated: 2024-09-16T20:42:01.565Z

Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:56:22.290Z
Updated: 2025-11-17T18:21:37.954Z

Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service.

Published: 2025-10-30T21:32:22.811Z
Updated: 2025-11-17T18:21:37.775Z

Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.

Published: 2025-10-30T21:32:02.900Z
Updated: 2025-11-17T18:21:37.552Z

Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:43:34.559Z
Updated: 2025-11-17T18:21:37.382Z

Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

Published: 2025-10-30T21:31:21.797Z
Updated: 2025-11-24T20:28:50.030Z

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:55:55.168Z
Updated: 2025-11-17T18:21:36.760Z

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:48:44.152Z
Updated: 2025-11-17T18:21:36.590Z

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:55:10.682Z
Updated: 2025-11-17T18:21:36.418Z

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:57:27.150Z
Updated: 2025-12-22T17:24:04.578Z

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published: 2025-10-30T21:49:05.959Z
Updated: 2025-11-17T18:21:35.913Z

Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges.

Published: 2025-10-30T21:41:36.116Z
Updated: 2025-11-17T18:21:35.708Z