📦 Nagios Xi

Nagios XI versions before 2024R1.1.3 fail to invalidate existing user sessions when passwords are changed, allowing attackers who have compromised a session to maintain access even after the legitimat...

Nagios XI versions before 2024R1.2 contain a critical remote code execution vulnerability in the NRDP server plugins. Attackers can send specially crafted NRDP requests to execute arbitrary commands o...

Nagios XI versions before 2024R1.1.2 have a missing authorization vulnerability when 'Allow Insecure Logins' is enabled. This allows any user to create valid login credentials for other users without ...

This SQL injection vulnerability in Nagios XI's legacy Core Configuration Manager allows authenticated users to manipulate database queries. Attackers could access or modify configuration data, includ...

Nagios XI versions before 2024R1 have an API key generation vulnerability where attackers can generate identical API keys for all users. This allows authentication bypass and potential full system com...

A privilege escalation vulnerability in Nagios XI's Autodiscover component allows remote attackers to execute arbitrary code via crafted Dashlets. This affects Nagios XI 2024R1.01 installations, poten...

A critical SQL injection vulnerability in Nagios XI 2024R1.01 allows remote attackers to execute arbitrary SQL commands via the monitoringwizard.php component. This can lead to complete system comprom...

Nagios XI versions before 5.11.3 contain a SQL injection vulnerability in the bulk modification tool that allows attackers to execute arbitrary SQL commands. This affects all Nagios XI installations r...

Nagios XI versions before 5.8.5 have incorrect permissions on migrate.php, allowing unauthorized access. This vulnerability affects Nagios XI monitoring systems and could allow attackers to execute ar...

CVE-2021-36365 is a critical privilege escalation vulnerability in Nagios XI where the repairmysql.sh script has incorrect file permissions. This allows any local user to execute arbitrary commands wi...

CVE-2021-37350 is a critical SQL injection vulnerability in Nagios XI's Bulk Modifications Tool that allows attackers to execute arbitrary SQL commands. This affects Nagios XI administrators and users...

This vulnerability in Nagios XI 5.7.5 and earlier allows local attackers to escalate privileges by exploiting insecure temporary directory permissions in getprofile.sh. Attackers can create symbolic l...

This vulnerability allows attackers to escalate privileges to root or execute arbitrary code on Nagios Fusion and Nagios XI systems by exploiting insufficient verification of update package authentici...

CVE-2021-3193 is a critical remote code execution vulnerability in Nagios Docker Config Wizard that allows unauthenticated attackers to execute arbitrary commands as the apache user. This affects Nagi...

CVE-2020-15903 is a privilege escalation vulnerability in Nagios XI where backend scripts running as root included files editable by the lower-privileged nagios user. This allows the nagios user to es...

This vulnerability allows authenticated remote attackers to execute arbitrary commands on Nagios Host installations through command injection in the monitoringwizard module. Attackers can achieve remo...

NagiosXI 2026R1.0.1 build 1762361101 contains a directory traversal vulnerability in /admin/coreconfigsnapshots.php that allows attackers to access files outside the intended directory. This affects N...

NagiosXI 2026R1.0.1 build 1762361101 contains a SQL injection vulnerability in dashboard parameters that lacks proper input filtering. Any authenticated user can exploit this to execute arbitrary SQL ...

This vulnerability allows authenticated Nagios XI administrators to escalate their privileges to root on the underlying host system by abusing the Migrate Server feature. Attackers with admin access c...

This vulnerability allows attackers with web server privileges (www-data user) to modify a Nagios XI script, leading to arbitrary code execution as the nagios user when the script runs. It enables loc...

Nagios XI versions before 2024R2 contain an authenticated command injection vulnerability in the WinRM plugin. An authenticated administrator can inject shell commands that execute with Nagios XI web ...

Nagios XI versions before 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Authenticated administrators can inject shell commands through insufficient input validation, leading...

Nagios XI versions before 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Authenticated administrators can inject shell commands through insufficient inp...

Nagios XI versions before 2024R1 have a missing access control vulnerability in the Web SSH Terminal. Remote attackers with low privileges can access the terminal without proper authorization, potenti...

Nagios XI versions before 5.8.7 use insecure permissions on a temporary directory for Highcharts exports, allowing local or co-hosted processes to read, modify, or delete exported files. This vulnerab...

This SQL injection vulnerability in Nagios XI's Core Config Manager allows authenticated users to inject malicious SQL queries through search text fields. Successful exploitation could lead to unautho...

This vulnerability allows authenticated attackers to upload PHP files to Nagios XI's Audio Import directory and execute them, leading to remote code execution. It affects Nagios XI versions before 5.7...

This vulnerability allows authenticated attackers in Nagios XI to execute arbitrary commands on the server by injecting shell metacharacters into PDF report generation parameters. Attackers can achiev...

Nagios XI versions before 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. This allows authenticated administrators to execute arbitrary SQL commands against the datab...

This vulnerability allows authenticated users with Core Config Manager access in Nagios XI to execute arbitrary commands on the host system by injecting shell metacharacters into the address parameter...

This SQL injection vulnerability in Nagios XI's Core Config Manager allows authenticated users to inject malicious SQL queries through object edit pages. Successful exploitation could lead to unauthor...

This vulnerability allows authenticated users of Nagios XI to execute arbitrary commands on the server through the Component Download page. Attackers can achieve remote code execution with application...

This vulnerability allows authenticated users with access to the Auto-Discovery tool in Nagios XI to inject and execute arbitrary shell commands, potentially leading to remote code execution with the ...

Nagios XI versions before 5.2.4 contain a SQL injection vulnerability in the notification search feature. Authenticated users can manipulate database queries to access or modify notification data, pot...

This CVE describes a local privilege escalation vulnerability in Nagios XI where low-privileged users can exploit race conditions during crontab installation/update scripts. Attackers can manipulate f...

This SQL injection vulnerability in Nagios XI allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands. Attackers could potentially read, modi...

CVE-2021-40343 is a privilege escalation vulnerability in Nagios XI where insecure file permissions on nagios_unbundler.py allow the nagios user to execute arbitrary code as root. This affects Nagios ...

This is a command injection vulnerability in Nagios XI 5.8.5 that allows authenticated administrators to execute arbitrary system commands by uploading malicious ZIP files in the Manage Dashlets secti...

CVE-2021-37348 is a local file inclusion vulnerability in Nagios XI that allows attackers to read arbitrary files on the server through improper pathname limitation in index.php. This affects Nagios X...

This vulnerability allows low-privileged users in Nagios XI and Nagios Fusion to modify files that are later executed with root privileges, enabling privilege escalation to root. It affects Nagios XI ...

This CVE describes a local privilege escalation vulnerability in Nagios XI where a maintenance script can be executed as root via sudo but includes a writable application file. An attacker with access...

Nagios XI versions before 2024R1.1.3 allow authenticated users to access sensitive user account information including API keys and password hashes, which they should not have permission to view. This ...

Nagios XI versions before 5.8.7 contain a cross-site scripting vulnerability in the Core UI's Views URL handling. Attackers can inject malicious scripts that execute in victims' browsers when they vis...

Nagios XI versions before 2024R1.1 contain a reflected cross-site scripting (XSS) vulnerability in the 404 error page. An attacker can craft malicious links that execute arbitrary JavaScript in victim...

Nagios XI versions before 2024R1.4.2 have overly permissive systemd unit file permissions, specifically on nagios.service. This allows local attackers with existing access to potentially manipulate se...

Nagios XI versions before 2024R1.1.3 contain a cross-site scripting vulnerability in the Capacity Planning Report component. Attackers can inject malicious scripts that execute in victims' browsers wh...

Nagios XI versions before 2024R1.1.3 are vulnerable to cross-site scripting (XSS) in the Executive Summary Report component. Attackers can inject malicious scripts that execute in victims' browsers wh...

Nagios XI versions before 2024R1.1.4 contain an authenticated local file inclusion vulnerability in the NagVis integration. Authenticated users can manipulate path parameters to read arbitrary files f...

Nagios XI versions before 2024R1.1.2 have a reflected cross-site scripting (XSS) vulnerability on the login page when accessed with older web browsers. Attackers can craft malicious links that execute...

Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bulk Modifications tool. Attackers can inject malicious scripts that execute in victims' browsers when they view ma...

Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bandwidth Report component. Insufficient input validation allows attackers to inject malicious scripts that execute...

Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Graph Explorer component. Attackers can inject malicious scripts that execute in victims' browsers when they view m...

Nagios XI versions before 2024R1 contain a cross-site scripting vulnerability in the Graph Explorer component. Insufficient input validation allows attackers to inject malicious scripts that execute i...

Nagios XI versions before 5.8.9 contain a stored cross-site scripting vulnerability in the BPI component's info URL field. Attackers can inject malicious scripts that execute in victims' browsers when...

Nagios XI versions before 5.8.9 contain a stored cross-site scripting vulnerability in the Apply Configuration error text. Attackers can inject malicious scripts that execute in victims' browsers when...

Nagios XI versions before 5.8.9 contain a stored cross-site scripting vulnerability in the update checking feature. Attackers can inject malicious scripts that execute in victims' browsers when they v...

Nagios XI versions before 5.11.3 contain XSS and CSRF vulnerabilities in the Hypermap Replay component. Attackers can inject malicious scripts that execute in victims' browsers or trick authenticated ...

Nagios XI versions before 5.8.0 contain a cross-site scripting vulnerability in BPI config ID handling. Attackers can inject malicious scripts that execute in victims' browsers when viewing affected p...

Nagios XI versions before 5.8.0 contain a cross-site scripting vulnerability in the Views feature URL handling. Attackers can inject malicious scripts that execute in victims' browsers when they visit...

Nagios XI versions before 5.8.7 contain a cross-site scripting vulnerability in the Audit Log page's Send to NLS form. Attackers can inject malicious scripts that execute in victims' browsers when the...

This cross-site scripting (XSS) vulnerability in Nagios XI's Core Config Manager allows attackers to inject malicious scripts into search and deletion interfaces. When exploited, these scripts execute...

This cross-site scripting (XSS) vulnerability in Nagios XI's Core Config Manager allows attackers to inject malicious scripts into the Audit Log page search input. When exploited, these scripts execut...

This cross-site scripting vulnerability in Nagios XI's Core Config Manager allows attackers to inject malicious scripts into overlay modals. When exploited, these scripts execute in victims' browsers,...

This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Nagios XI's Core Config Manager (CCM) affecting the Services page. Attackers can inject malicious scripts into config_name and...

Nagios XI versions before 5.8.0 contain a stored cross-site scripting (XSS) vulnerability in the My Tools page. Attackers can inject malicious scripts that execute in victims' browsers when they view ...

This cross-site scripting vulnerability in Nagios XI allows attackers to inject malicious scripts into the BPI Config Management and Edit Config pages. When victims view these pages, the scripts execu...

Nagios XI versions before 5.6.11 have unauthenticated vulnerabilities in the Highcharts export tool. Attackers can inject malicious scripts into exported content (XSS) and force the server to access i...

This cross-site scripting (XSS) vulnerability in Nagios XI allows attackers to inject malicious scripts into the Manage Users page of the Admin interface. When exploited, these scripts execute in vict...

This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Nagios XI's Core Config Manager (CCM). Attackers can inject malicious scripts into overlay UI elements and notification/check ...

Nagios XI versions before 5.2.4 contain a cross-site scripting vulnerability in the Menu System of the web interface. Attackers can inject malicious scripts that execute in victims' browsers when they...