cbcvebase.

Nagios Xi vulnerabilities

192 known vulnerabilities affecting nagios/nagios_xi.

Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94

Vulnerabilities

Page 6 of 10
CVE-2025-34283P3MEDIUMCVSS 6.5fixed in 2024v20242025-10-30
CVE-2025-34283 [MEDIUM] CWE-497 CVE-2025-34283: Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API ac Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.
nvd
CVE-2021-37223P3MEDIUMCVSS 6.5≤ 5.8.42021-10-05
CVE-2021-37223 [MEDIUM] CWE-918 CVE-2021-37223: Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resou
nvd
CVE-2020-15902P3MEDIUMCVSS 6.1fixed in 5.7.22020-07-22
CVE-2020-15902 [MEDIUM] CWE-79 CVE-2020-15902: Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option. Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.
nvd
CVE-2024-54960P3MEDIUMCVSS 6.5v20242025-02-20
CVE-2024-54960 [MEDIUM] CWE-89 CVE-2024-54960: A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL inject A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.
nvd
CVE-2024-13998P3MEDIUMCVSS 6.5fixed in 2024v20242025-11-03
CVE-2024-13998 [MEDIUM] CVE-2024-13998: Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13
nvd
CVE-2013-10072P3MEDIUMCVSS 6.5≤ 2011v20122025-10-30
CVE-2013-10072 [MEDIUM] CWE-862 CVE-2013-10072: Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionali Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.
nvd
CVE-2021-37348P3HIGHCVSS 7.5fixed in 5.8.52021-08-13
CVE-2021-37348 [HIGH] CWE-552 CVE-2021-37348: Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
nvd
CVE-2025-34288P3MEDIUMCVSS 6.7≤ 2024v20262025-12-16
CVE-2025-34288 [MEDIUM] CWE-732 CVE-2025-34288: Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe i Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to t
nvd
CVE-2019-9166P3HIGHCVSS 7.8fixed in 5.5.112019-03-28
CVE-2019-9166 [HIGH] CWE-732 CVE-2019-9166: Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root Privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php and import_xiconfig.php.
nvd
CVE-2021-40343P3HIGHCVSS 7.8v5.8.52021-10-26
CVE-2021-40343 [HIGH] CWE-732 CVE-2021-40343: An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py fil An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.
nvd
CVE-2021-37345P3HIGHCVSS 7.8fixed in 5.8.52021-08-13
CVE-2021-37345 [HIGH] CWE-269 CVE-2021-37345: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is bei Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.
nvd
CVE-2021-37347P3HIGHCVSS 7.8fixed in 5.8.52021-08-13
CVE-2021-37347 [HIGH] CWE-22 CVE-2021-37347: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh doe Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.
nvd
CVE-2019-9167P3MEDIUMCVSS 6.1fixed in 5.5.112019-03-28
CVE-2019-9167 [MEDIUM] CWE-79 CVE-2019-9167: Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbit Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
nvd
CVE-2019-20139P4MEDIUMCVSS 5.4v5.6.92019-12-30
CVE-2019-20139 [MEDIUM] CWE-79 CVE-2019-20139: In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
nvd
CVE-2021-37349P3HIGHCVSS 7.8fixed in 5.8.52021-08-13
CVE-2021-37349 [HIGH] CVE-2021-37349: Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.
nvd
CVE-2022-29271P3MEDIUMCVSS 6.5≤ 5.8.52022-06-29
CVE-2022-29271 [MEDIUM] CWE-863 CVE-2022-29271: In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able t In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks.
nvd
CVE-2020-27991P4MEDIUMCVSS 5.4fixed in 5.7.52020-11-16
CVE-2020-27991 [MEDIUM] CWE-79 CVE-2020-27991: Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
nvd
CVE-2020-27990P4MEDIUMCVSS 5.4fixed in 5.7.52020-11-16
CVE-2020-27990 [MEDIUM] CWE-79 CVE-2020-27990: Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent). Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
nvd
CVE-2020-27989P4MEDIUMCVSS 5.4fixed in 5.7.52020-11-16
CVE-2020-27989 [MEDIUM] CWE-79 CVE-2020-27989: Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard). Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard).
nvd
CVE-2022-29269P3MEDIUMCVSS 6.5≤ 5.8.52022-06-29
CVE-2022-29269 [MEDIUM] CWE-79 CVE-2022-29269: In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to in In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.
nvd
Nagios Xi vulnerabilities | cvebase