cbcvebase.

Nagios Xi vulnerabilities

192 known vulnerabilities affecting nagios/nagios_xi.

Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94

Vulnerabilities

Page 5 of 10
CVE-2021-36366P3CRITICALCVSS 9.8fixed in 5.8.52021-09-28
CVE-2021-36366 [CRITICAL] CVE-2021-36366: Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards. Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
nvd
CVE-2021-36364P3CRITICALCVSS 9.8fixed in 5.8.52021-09-28
CVE-2021-36364 [CRITICAL] CVE-2021-36364: Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards. Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
nvd
CVE-2021-36365P3CRITICALCVSS 9.8fixed in 5.8.52021-09-28
CVE-2021-36365 [CRITICAL] CWE-276 CVE-2021-36365: Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh. Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
nvd
CVE-2021-36363P3CRITICALCVSS 9.8fixed in 5.8.52021-09-28
CVE-2021-36363 [CRITICAL] CWE-276 CVE-2021-36363: Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php. Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
nvd
CVE-2025-67254P3HIGHCVSS 7.5v20262025-12-29
CVE-2025-67254 [HIGH] CWE-22 CVE-2025-67254: NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapsh NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php.
nvd
CVE-2018-10553P3MEDIUMCVSS 6.5v5.4.132018-04-30
CVE-2018-10553 [MEDIUM] CWE-22 CVE-2018-10553: An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
nvd
CVE-2023-48082P3CRITICALCVSS 9.1fixed in 2014v20142024-10-14
CVE-2023-48082 [CRITICAL] CWE-79 CVE-2023-48082: Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated) Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
nvd
CVE-2020-36869P3HIGHCVSS 7.2fixed in 5.7.52025-10-30
CVE-2020-36869 [HIGH] CWE-89 CVE-2020-36869: Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface e Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized
nvd
CVE-2024-14009P3HIGHCVSS 7.2fixed in 2024v20242025-10-30
CVE-2024-14009 [HIGH] CWE-269 CVE-2024-14009: Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Pr Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this
nvd
CVE-2023-40934P3HIGHCVSS 7.2fixed in 5.11.22023-09-19
CVE-2023-40934 [HIGH] CWE-89 CVE-2023-40934: A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with priv A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.
nvd
CVE-2024-13997P3HIGHCVSS 7.2fixed in 2024v20242025-11-03
CVE-2024-13997 [HIGH] CWE-269 CVE-2024-13997: Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an auth Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the applicatio
nvd
CVE-2018-15712P3MEDIUMCVSS 6.1v5.5.62018-11-14
CVE-2018-15712 [MEDIUM] CWE-79 CVE-2018-15712: Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the host parameter in api_tool.php.
nvd
CVE-2020-36868P3HIGHCVSS 7.8fixed in 5.7.32025-10-30
CVE-2020-36868 [HIGH] CWE-73 CVE-2020-36868: Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The script performed profile retrieval and initialization routines using insecure file/command handling and insufficient validation of attacker-controlled inputs, and in some deployments executed with elevated privileges. A local attacker w
nvd
CVE-2020-10821P3MEDIUMCVSS 4.8v5.6.112020-03-22
CVE-2020-10821 [MEDIUM] CWE-79 CVE-2020-10821: Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.
nvd
CVE-2021-3273P3HIGHCVSS 7.2fixed in 5.72021-02-25
CVE-2021-3273 [HIGH] CWE-94 CVE-2021-3273: Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php componen Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.
nvd
CVE-2018-25123P3HIGHCVSS 7.8fixed in 5.5.72025-10-30
CVE-2018-25123 [HIGH] CWE-250 CVE-2018-25123: Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing component. MRTG-related processes/scripts executed with excessive privileges, allowing a local attacker with limited system access to abuse file/command execution paths or writable resources to gain elevated privileges.
nvd
CVE-2020-10819P3MEDIUMCVSS 4.8v5.6.112020-03-22
CVE-2020-10819 [MEDIUM] CWE-79 CVE-2020-10819: Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.
nvd
CVE-2025-34287P3HIGHCVSS 7.8fixed in 2024v20242025-10-30
CVE-2025-34287 [HIGH] CWE-732 CVE-2025-34287: Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next
nvd
CVE-2020-5796P3HIGHCVSS 7.8v5.7.42020-11-13
CVE-2020-5796 [HIGH] CWE-281 CVE-2020-5796: Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticate Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges.
nvd
CVE-2021-47700P3HIGHCVSS 7.8fixed in 5.8.72025-10-30
CVE-2021-47700 [HIGH] CWE-250 CVE-2021-47700: Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly perm Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.
nvd
Nagios Xi vulnerabilities | cvebase