cbcvebase.
CVE-2026-2043
published 2026-02-20

CVE-2026-2043: Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
74.17%
99.4th percentile
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagioshost
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for exploitation attempts targeting the esensors_websensor_configwizard_func method in Nagios XI, which passes unsanitized user-supplied strings to a system call
  • Alert on authenticated POST/GET requests invoking the esensors_websensor_configwizard_func handler with shell metacharacters or command injection payloads in any parameter
  • ·Exploitation requires authentication; unauthenticated access alone is insufficient to trigger the command injection
  • ·Successful exploitation results in code execution as the Nagios service account, not necessarily root; scope of post-exploitation depends on service account privileges
  • ·No public exploit or fix was available as of the publication date (Feb 20, 2026); no CISA KEV entry exists

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.