Nagios Xi vulnerabilities
192 known vulnerabilities affecting nagios/nagios_xi.
Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94
Vulnerabilities
Page 3 of 10
CVE-2013-10073P2HIGHCVSS 8.8fixed in 2012v20122025-10-30
CVE-2013-10073 [HIGH] CWE-78 CVE-2013-10073: Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Dis
Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service.
nvd
CVE-2019-20197P2HIGHCVSS 8.8v5.6.92019-12-31
CVE-2019-20197 [HIGH] CWE-78 CVE-2019-20197: In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacha
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.
nvd
CVE-2024-14005P2HIGHCVSS 8.8fixed in 2024v20242025-10-30
CVE-2024-14005 [HIGH] CWE-78 CVE-2024-14005: Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard.
Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with th
nvd
CVE-2018-15709P2HIGHCVSS 8.8v5.5.62018-11-14
CVE-2018-15709 [HIGH] CWE-78 CVE-2018-15709: Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HT
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
nvd
CVE-2018-25122P2HIGHCVSS 8.8fixed in 5.4.132025-10-30
CVE-2018-25122 [HIGH] CWE-78 CVE-2018-25122: Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Do
Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the
nvd
CVE-2020-36856P2HIGHCVSS 8.8fixed in 5.6.142025-10-30
CVE-2020-36856 [HIGH] CWE-78 CVE-2020-36856: Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability i
Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful ex
nvd
CVE-2023-7317P2HIGHCVSS 8.8fixed in 20242025-10-30
CVE-2023-7317 [HIGH] CWE-862 CVE-2023-7317: Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Te
Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information.
nvd
CVE-2024-13986P2HIGHCVSS 8.8fixed in 2024v2024+1 more2025-08-28
CVE-2024-13986 [HIGH] CWE-22 CVE-2024-13986: Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbi
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-
nvd
CVE-2020-24899P2HIGHCVSS 8.8v5.7.22021-02-15
CVE-2020-24899 [HIGH] CWE-78 CVE-2020-24899: Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user ca
Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query.
nvd
CVE-2020-36863P2HIGHCVSS 8.8fixed in 5.7.22025-10-30
CVE-2020-36863 [HIGH] CWE-434 CVE-2020-36863: Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and e
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import
nvd
CVE-2024-13994P2CRITICALCVSS 9.8fixed in 2024v20242025-10-30
CVE-2024-13994 [CRITICAL] CWE-862 CVE-2024-13994: Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insec
Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios
nvd
CVE-2024-24402P2CRITICALCVSS 9.8v20242024-02-26
CVE-2024-24402 [CRITICAL] CWE-269 CVE-2024-24402: An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script
An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
nvd
CVE-2021-33177P2HIGHCVSS 8.8fixed in 5.8.5v<5.8.52021-10-14
CVE-2021-33177 [HIGH] CWE-89 CVE-2021-33177: The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injec
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
nvd
CVE-2020-36867P2HIGHCVSS 8.8fixed in 5.7.32025-10-30
CVE-2020-36867 [HIGH] CWE-78 CVE-2020-36867: Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF downlo
Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF download/export functionality. User-supplied values used in the PDF generation pipeline or the wrapper that invokes offline/pdf helper utilities were insufficiently validated or improperly escaped, allowing an authenticated attacker who can trigger PDF exports
nvd
CVE-2020-28648P2HIGHCVSS 8.8fixed in 5.7.52020-11-16
CVE-2020-28648 [HIGH] CWE-20 CVE-2020-28648: Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authen
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.
nvd
CVE-2024-13995P2HIGHCVSS 8.8fixed in 2024v20242025-10-30
CVE-2024-13995 [HIGH] CWE-497 CVE-2024-13995: Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive
Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking at
nvd
CVE-2021-40345P3HIGHCVSS 7.2v5.8.52021-10-26
CVE-2021-40345 [HIGH] CWE-77 CVE-2021-40345: An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an ad
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
nvd
CVE-2018-17148P3CRITICALCVSS 9.8fixed in 5.5.42019-06-19
CVE-2018-17148 [CRITICAL] CWE-284 CVE-2018-17148: An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapsho
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
nvd
CVE-2022-29272P3MEDIUMCVSS 6.1PoC≤ 5.8.52022-06-29
CVE-2022-29272 [MEDIUM] CWE-601 CVE-2022-29272: In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could l
In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.
nvd
CVE-2019-9165P3CRITICALCVSS 9.8fixed in 5.5.112019-03-28
CVE-2019-9165 [CRITICAL] CWE-89 CVE-2019-9165: SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL com
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
nvd