CVE-2021-3193
published 2021-01-26CVE-2021-3193: Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.77%
94.9th percentile
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| algolia | algoliasearch-helper | >= 2.0.0-rc1 < 3.11.2 | 3.11.2 |
| nagios | nagios_xi | <= 5.7.0 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
ghsa·2025-09-27·CVSS 9.8
CVE-2025-3193 [MEDIUM] CWE-1321 algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.
This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).
**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
GHSA
GHSA-9f3q-pwxj-87pv: Improper access and command validation in the Docker config wizard of Nagios XI before 5
ghsa_unreviewed·2022-05-24
CVE-2021-3193 [CRITICAL] GHSA-9f3q-pwxj-87pv: Improper access and command validation in the Docker config wizard of Nagios XI before 5
Improper access and command validation in the Docker config wizard of Nagios XI before 5.8.0 allows an authenticated attacker to execute remote code as the apache user.
Red Hat
algoliasearch-helper: algoliasearch-helper prototype pollution
vendor_redhat·2025-09-27·CVSS 5.9
CVE-2025-3193 [MEDIUM] CWE-1321 algoliasearch-helper: algoliasearch-helper prototype pollution
algoliasearch-helper: algoliasearch-helper prototype pollution
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.
This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).
**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
A prototype pollution flaw has been discovered in the npm algoliasearc
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-26
Published