Nagios Xi vulnerabilities
192 known vulnerabilities affecting nagios/nagios_xi.
Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94
Vulnerabilities
Page 2 of 10
CVE-2018-10738P2HIGHCVSS 7.2PoC≥ 5.2.0, ≤ 5.2.9≥ 5.4.0, < 5.4.132018-05-16
CVE-2018-10738 [HIGH] CWE-89 CVE-2018-10738: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
nvd
CVE-2018-10735P2HIGHCVSS 7.2PoC≥ 5.2.0, ≤ 5.2.9≥ 5.4.0, < 5.4.132018-05-16
CVE-2018-10735 [HIGH] CWE-89 CVE-2018-10735: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
nvd
CVE-2018-10736P2HIGHCVSS 7.2PoC≥ 5.2.0, ≤ 5.2.9≥ 5.4.0, < 5.4.132018-05-16
CVE-2018-10736 [HIGH] CWE-89 CVE-2018-10736: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 paramete
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
nvd
CVE-2023-48085P2CRITICALCVSS 9.8fixed in 5.11.32023-12-14
CVE-2023-48085 [CRITICAL] CWE-94 CVE-2023-48085: Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerabilit
Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
nvd
CVE-2021-38156P3MEDIUMCVSS 5.4PoCfixed in 5.8.62021-09-15
CVE-2021-38156 [MEDIUM] CWE-79 CVE-2021-38156: In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative user
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
nvd
CVE-2021-37350P2CRITICALCVSS 9.8fixed in 5.8.52021-08-13
CVE-2021-37350 [CRITICAL] CWE-89 CVE-2021-37350: Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications To
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
nvd
CVE-2023-40931P3MEDIUMCVSS 6.5PoC≥ 5.11.0, < 5.11.22023-09-19
CVE-2023-40931 [MEDIUM] CWE-89 CVE-2023-40931: A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows aut
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
nvd
CVE-2019-12279P3CRITICALCVSS 9.8PoCv5.6.12019-05-22
CVE-2019-12279 [CRITICAL] CWE-89 CVE-2019-12279: Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the res
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while t
nvd
CVE-2025-34227P2HIGHCVSS 8.8≤ 2026fixed in 2026R12025-09-25
CVE-2025-34227 [HIGH] CWE-78 CVE-2025-34227: Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the Mong
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
nvd
CVE-2026-2042P2HIGHCVSS 8.8v20262026-02-20
CVE-2026-2042 [HIGH] CWE-78 CVE-2026-2042: Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerabili
Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.
The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper
nvd
CVE-2019-9164P2HIGHCVSS 8.8fixed in 5.5.112019-03-28
CVE-2019-9164 [HIGH] CWE-79 CVE-2019-9164: Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remo
Command injection in Nagios XI before 5.5.11 allows an authenticated users to execute arbitrary remote commands via a new autodiscovery job.
nvd
CVE-2024-14003P2CRITICALCVSS 9.8fixed in 2024v20242025-10-30
CVE-2024-14003 [CRITICAL] CWE-78 CVE-2024-14003: Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP
Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of
nvd
CVE-2018-15711P2HIGHCVSS 8.8v5.5.62018-11-14
CVE-2018-15711 [HIGH] CWE-78 CVE-2018-15711: Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more pr
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.
nvd
CVE-2021-40344P2HIGHCVSS 7.2v5.8.52021-10-26
CVE-2021-40344 [HIGH] CWE-434 CVE-2021-40344: An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an ad
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
nvd
CVE-2021-3193P2CRITICALCVSS 9.8≤ 5.7.02021-01-26
CVE-2021-3193 [CRITICAL] CVE-2021-3193: Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in N
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
nvd
CVE-2013-6875P3HIGHCVSS 7.5PoC≤ 2012r2.3v2012+13 more2013-11-26
CVE-2013-6875 [HIGH] CWE-89 CVE-2013-6875: SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
nvd
CVE-2021-3277P2HIGHCVSS 7.2≤ 5.7.52021-06-07
CVE-2021-3277 [HIGH] CWE-434 CVE-2021-3277: Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper va
Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component, which leads to remote code execution by uploading php files.
nvd
CVE-2024-13999P2CRITICALCVSS 9.8fixed in 2024v20242025-10-30
CVE-2024-13999 [CRITICAL] CWE-497 CVE-2024-13999: Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Di
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems.
nvd
CVE-2025-34284P2HIGHCVSS 8.8fixed in 2024v20242025-10-30
CVE-2025-34284 [HIGH] CWE-78 CVE-2025-34284: Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. In
Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges
nvd
CVE-2020-15901P2HIGHCVSS 8.8fixed in 5.7.22020-07-22
CVE-2020-15901 [HIGH] CVE-2020-15901: In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary
In Nagios XI before 5.7.3, ajaxhelper.php allows remote authenticated attackers to execute arbitrary commands via cmdsubsys.
nvd