VYPR

Nagios

by Nagios

Source repositories

CVEs (124)

  • CVE-2018-8734CriApr 18, 2018
    risk 0.71cvss 9.8epss 0.53

    SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

  • CVE-2018-8733CriApr 18, 2018
    risk 0.69cvss 9.8epss 0.28

    Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

  • CVE-2016-9565CriDec 15, 2016
    risk 0.69cvss 9.8epss 0.23

    MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for…

  • CVE-2018-8735HigApr 18, 2018
    risk 0.65cvss 8.8epss 0.64

    Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

  • CVE-2012-10029HigAug 5, 2025
    risk 0.64cvss epss 0.03

    Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.

  • CVE-2018-8736HigApr 18, 2018
    risk 0.64cvss 8.8epss 0.47

    A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

  • CVE-2016-0726CriJun 6, 2017
    risk 0.64cvss 9.8epss 0.02

    The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.

  • CVE-2008-7313CriMar 31, 2017
    risk 0.64cvss 9.8epss 0.05

    The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.

  • CVE-2014-5009CriMar 31, 2017
    risk 0.57cvss 9.8epss 0.05

    Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.

  • CVE-2016-9566HigDec 15, 2016
    risk 0.54cvss 7.8epss 0.05

    base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.

  • CVE-2016-10089HigFeb 15, 2017
    risk 0.51cvss 7.8epss 0.01

    Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.

  • CVE-2018-10736HigMay 16, 2018
    risk 0.50cvss 7.2epss 0.43

    A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.

  • CVE-2017-12847MedAug 23, 2017
    risk 0.41cvss 6.3epss 0.01

    Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill…

  • CVE-2016-8641MedAug 1, 2018
    risk 0.40cvss 6.7epss 0.01

    A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and…

  • CVE-2016-6209MedMar 31, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Nagios.

  • CVE-2018-10554MedApr 30, 2018
    risk 0.35cvss 5.4epss 0.03

    An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages…

  • CVE-2021-25297KEVFeb 15, 2021
    risk 0.22cvss epss 0.43

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead…

  • CVE-2021-25296KEVFeb 15, 2021
    risk 0.22cvss epss 0.72

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…

  • CVE-2019-15949KEVSep 5, 2019
    risk 0.22cvss epss 0.78

    Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…

  • CVE-2021-25298KEVFeb 15, 2021
    risk 0.21cvss epss 0.75

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…

Page 1 of 7