Nagios: >> Nagios Xi >> 5.11.1 Security Vulnerabilities
Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges.
CVSS Score
7.0
EPSS Score
0.0
Published
2025-10-30
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
CVSS Score
8.8
EPSS Score
0.014
Published
2025-09-25
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
CVSS Score
8.8
EPSS Score
0.011
Published
2025-08-28
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
CVSS Score
9.1
EPSS Score
0.011
Published
2024-10-14
A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows any authenticated user to execute arbitrary JavaScript code on behalf of other users, including the administrators.
CVSS Score
5.4
EPSS Score
0.018
Published
2024-02-02
Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
CVSS Score
9.8
EPSS Score
0.624
Published
2023-12-14
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
CVSS Score
9.8
EPSS Score
0.821
Published
2023-12-14
A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials.
CVSS Score
5.4
EPSS Score
0.02
Published
2023-09-19
A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
CVSS Score
8.8
EPSS Score
0.181
Published
2023-09-19
A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.
CVSS Score
7.2
EPSS Score
0.012
Published
2023-09-19