cbcvebase.

Nagios Xi vulnerabilities

59 known vulnerabilities affecting nagios/xi.

Total CVEs
59
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH17MEDIUM40

Vulnerabilities

Page 1 of 3
CVE-2013-10073P2HIGHCVSS 8.8fixed in 2012R1.62025-10-30
CVE-2013-10073 [HIGH] CWE-78 CVE-2013-10073: Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Dis Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service.
nvd
CVE-2018-25122P2HIGHCVSS 8.8fixed in 5.4.132025-10-30
CVE-2018-25122 [HIGH] CWE-78 CVE-2018-25122: Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Do Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the
nvd
CVE-2020-36856P2HIGHCVSS 8.8fixed in 5.6.142025-10-30
CVE-2020-36856 [HIGH] CWE-78 CVE-2020-36856: Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability i Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful ex
nvd
CVE-2023-7317P2HIGHCVSS 8.8fixed in 2024R12025-10-30
CVE-2023-7317 [HIGH] CWE-862 CVE-2023-7317: Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Te Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information.
nvd
CVE-2020-36863P2HIGHCVSS 8.8fixed in 5.7.22025-10-30
CVE-2020-36863 [HIGH] CWE-434 CVE-2020-36863: Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and e Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import
nvd
CVE-2024-13994P2CRITICALCVSS 9.8fixed in 2024R1.1.22025-10-30
CVE-2024-13994 [CRITICAL] CWE-862 CVE-2024-13994: Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insec Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios
nvd
CVE-2020-36867P2HIGHCVSS 8.8fixed in 5.7.32025-10-30
CVE-2020-36867 [HIGH] CWE-78 CVE-2020-36867: Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF downlo Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF download/export functionality. User-supplied values used in the PDF generation pipeline or the wrapper that invokes offline/pdf helper utilities were insufficiently validated or improperly escaped, allowing an authenticated attacker who can trigger PDF exports
nvd
CVE-2016-15050P3HIGHCVSS 8.8fixed in 5.2.42025-10-30
CVE-2016-15050 [HIGH] CWE-89 CVE-2016-15050: Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search f Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notificat
nvd
CVE-2020-36859P3HIGHCVSS 8.8fixed in 5.7.42025-10-30
CVE-2020-36859 [HIGH] CWE-89 CVE-2020-36859: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains mu The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lea
nvd
CVE-2025-34286P3HIGHCVSS 7.2fixed in 2026R12025-10-30
CVE-2025-34286 [HIGH] CWE-78 CVE-2025-34286: Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in ar
nvd
CVE-2021-47693P3HIGHCVSS 8.8fixed in 5.8.52025-10-30
CVE-2021-47693 [HIGH] CWE-89 CVE-2021-47693: The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to un
nvd
CVE-2020-36857P3HIGHCVSS 7.2fixed in 5.6.142025-10-30
CVE-2020-36857 [HIGH] CWE-89 CVE-2020-36857: Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead t
nvd
CVE-2012-10063P3CRITICALCVSS 9.8fixed in 2012R1.32025-10-30
CVE-2012-10063 [CRITICAL] CWE-89 CVE-2012-10063: Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Config Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation cou
nvd
CVE-2020-36869P3HIGHCVSS 7.2fixed in 5.7.52025-10-30
CVE-2020-36869 [HIGH] CWE-89 CVE-2020-36869: Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface e Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized
nvd
CVE-2020-36868P3HIGHCVSS 7.8fixed in 5.7.32025-10-30
CVE-2020-36868 [HIGH] CWE-73 CVE-2020-36868: Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The script performed profile retrieval and initialization routines using insecure file/command handling and insufficient validation of attacker-controlled inputs, and in some deployments executed with elevated privileges. A local attacker w
nvd
CVE-2018-25123P3HIGHCVSS 7.8fixed in 5.5.72025-10-30
CVE-2018-25123 [HIGH] CWE-250 CVE-2018-25123: Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing component. MRTG-related processes/scripts executed with excessive privileges, allowing a local attacker with limited system access to abuse file/command execution paths or writable resources to gain elevated privileges.
nvd
CVE-2025-34287P3HIGHCVSS 7.8fixed in 2024R22025-10-30
CVE-2025-34287 [HIGH] CWE-732 CVE-2025-34287: Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next
nvd
CVE-2021-47700P3HIGHCVSS 7.8fixed in 5.8.72025-10-30
CVE-2021-47700 [HIGH] CWE-250 CVE-2021-47700: Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly perm Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.
nvd
CVE-2013-10072P3MEDIUMCVSS 6.5fixed in 2012R1.62025-10-30
CVE-2013-10072 [MEDIUM] CWE-862 CVE-2013-10072: Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionali Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.
nvd
CVE-2011-10035P3HIGHCVSS 7.0fixed in 2011R1.92025-10-30
CVE-2011-10035 [HIGH] CWE-367 CVE-2011-10035: Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts tha Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the
nvd
Nagios Xi vulnerabilities | cvebase