cbcvebase.

Nagios Xi vulnerabilities

192 known vulnerabilities affecting nagios/nagios_xi.

Total CVEs
192
CISA KEV
4
actively exploited
Public exploits
26
Exploited in wild
6
Severity breakdown
CRITICAL27HIGH71MEDIUM94

Vulnerabilities

Page 8 of 10
CVE-2024-14000P4MEDIUMCVSS 5.4fixed in 2024v20242025-10-30
CVE-2024-14000 [MEDIUM] CWE-79 CVE-2024-14000: Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2024-14001P4MEDIUMCVSS 5.4fixed in 2024v20242025-10-30
CVE-2024-14001 [MEDIUM] CWE-79 CVE-2024-14001: Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executiv Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7315P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7315 [MEDIUM] CWE-79 CVE-2023-7315: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explor Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7314P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7314 [MEDIUM] CWE-79 CVE-2023-7314: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Re Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2022-50587P4MEDIUMCVSS 5.4fixed in 5.8.92025-10-30
CVE-2022-50587 [MEDIUM] CWE-79 CVE-2022-50587: Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configu Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2022-50586P4MEDIUMCVSS 5.4fixed in 5.8.92025-10-30
CVE-2022-50586 [MEDIUM] CWE-79 CVE-2022-50586: Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2020-36865P4MEDIUMCVSS 5.4fixed in 5.7.22025-10-30
CVE-2020-36865 [MEDIUM] CWE-79 CVE-2020-36865: Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2018-17146P4MEDIUMCVSS 5.4fixed in 5.5.42019-06-19
CVE-2018-17146 [MEDIUM] CWE-79 CVE-2018-17146: A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter withi A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.
nvd
CVE-2024-54958P4MEDIUMCVSS 6.1v20242025-02-20
CVE-2024-54958 [MEDIUM] CWE-79 CVE-2024-54958: Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tool Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page.
nvd
CVE-2018-10554P4MEDIUMCVSS 5.4v5.4.132018-04-30
CVE-2018-10554 [MEDIUM] CWE-79 CVE-2018-10554: An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule N An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] arra
nvd
CVE-2025-56432P4MEDIUMCVSS 6.1v20242025-08-26
CVE-2025-56432 [MEDIUM] CWE-79 CVE-2025-56432: A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remo A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
nvd
CVE-2023-40932P4MEDIUMCVSS 5.4fixed in 5.11.22023-09-19
CVE-2023-40932 [MEDIUM] CWE-79 CVE-2023-40932: A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticate A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials
nvd
CVE-2023-51072P4MEDIUMCVSS 5.4fixed in 2024v20242024-02-02
CVE-2023-51072 [MEDIUM] CWE-79 CVE-2023-51072: A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to an A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows any authenticated user to execute arbitrary JavaScript code on behalf of
nvd
CVE-2023-7318P4MEDIUMCVSS 5.4fixed in 2024v20242025-10-30
CVE-2023-7318 [MEDIUM] CWE-79 CVE-2023-7318: Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2023-7313P4MEDIUMCVSS 5.4fixed in 5.11.32025-10-30
CVE-2023-7313 [MEDIUM] CWE-79 CVE-2023-7313: Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modific Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2011-10038P4MEDIUMCVSS 5.4≤ 2009v20112025-10-30
CVE-2011-10038 [MEDIUM] CWE-79 CVE-2011-10038: Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2016-15053P4MEDIUMCVSS 5.4fixed in 5.2.42025-10-30
CVE-2016-15053 [MEDIUM] CWE-79 CVE-2016-15053: Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2016-15052P4MEDIUMCVSS 5.4fixed in 5.2.42025-10-30
CVE-2016-15052 [MEDIUM] CWE-79 CVE-2016-15052: Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System o Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
CVE-2021-47691P4MEDIUMCVSS 5.4fixed in 5.8.22025-10-30
CVE-2021-47691 [MEDIUM] CWE-79 CVE-2021-47691: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains mu The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.1 / Nagios XI 5.8.2 contains multiple cross-site scripting (XSS) vulnerabilities via the Services page affecting the config_name and service_description fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in
nvd
CVE-2021-47696P4MEDIUMCVSS 5.4fixed in 5.8.02025-10-30
CVE-2021-47696 [MEDIUM] CWE-79 CVE-2021-47696: Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID han Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
nvd
Nagios Xi vulnerabilities | cvebase