Nagios
by Nagios
Source repositories
CVEs (124)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-37348 | 0.01 | — | 0.03 | Aug 13, 2021 | Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. | |||
| CVE-2020-28648 | 0.01 | — | 0.06 | Nov 16, 2020 | Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code. | |||
| CVE-2019-20139 | 0.01 | — | 0.26 | Dec 30, 2019 | In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | |||
| CVE-2018-15709 | 0.01 | — | 0.21 | Nov 14, 2018 | Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request. | |||
| CVE-2008-5027 | 0.01 | — | 0.07 | Nov 10, 2008 | The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon. | |||
| CVE-2026-2041 | 0.00 | — | 0.75 | Feb 20, 2026 | Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2026-2042 | 0.00 | — | 0.06 | Feb 20, 2026 | Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists… | |||
| CVE-2025-67254 | 0.00 | — | 0.02 | Dec 29, 2025 | NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. | |||
| CVE-2025-67255 | 0.00 | — | 0.01 | Dec 29, 2025 | In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | |||
| CVE-2025-34288 | 0.00 | — | 0.02 | Dec 16, 2025 | Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file… | |||
| CVE-2025-34227 | 0.00 | — | 0.26 | Sep 25, 2025 | Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute… | |||
| CVE-2024-13986 | 0.00 | — | 0.02 | Aug 28, 2025 | Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and… | |||
| CVE-2024-54957 | 0.00 | — | 0.01 | Feb 27, 2025 | Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent. | |||
| CVE-2024-54958 | 0.00 | — | 0.01 | Feb 20, 2025 | Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page. | |||
| CVE-2024-54960 | 0.00 | — | 0.01 | Feb 20, 2025 | A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component. | |||
| CVE-2024-54959 | 0.00 | — | 0.01 | Feb 20, 2025 | Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS). | |||
| CVE-2024-54961 | 0.00 | — | 0.02 | Feb 20, 2025 | Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users. | |||
| CVE-2024-42898 | 0.00 | — | 0.01 | Jan 9, 2025 | A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page. | |||
| CVE-2023-48082 | 0.00 | — | 0.02 | Oct 14, 2024 | Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate. | |||
| CVE-2024-33775 | 0.00 | — | 0.02 | May 1, 2024 | An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet. |
- CVE-2021-37348Aug 13, 2021risk 0.01cvss —epss 0.03
Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
- CVE-2020-28648Nov 16, 2020risk 0.01cvss —epss 0.06
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.
- CVE-2019-20139Dec 30, 2019risk 0.01cvss —epss 0.26
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
- CVE-2018-15709Nov 14, 2018risk 0.01cvss —epss 0.21
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
- CVE-2008-5027Nov 10, 2008risk 0.01cvss —epss 0.07
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon.
- CVE-2026-2041Feb 20, 2026risk 0.00cvss —epss 0.75
Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific…
- CVE-2026-2042Feb 20, 2026risk 0.00cvss —epss 0.06
Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists…
- CVE-2025-67254Dec 29, 2025risk 0.00cvss —epss 0.02
NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php.
- CVE-2025-67255Dec 29, 2025risk 0.00cvss —epss 0.01
In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.
- CVE-2025-34288Dec 16, 2025risk 0.00cvss —epss 0.02
Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file…
- CVE-2025-34227Sep 25, 2025risk 0.00cvss —epss 0.26
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute…
- CVE-2024-13986Aug 28, 2025risk 0.00cvss —epss 0.02
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and…
- CVE-2024-54957Feb 27, 2025risk 0.00cvss —epss 0.01
Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.
- CVE-2024-54958Feb 20, 2025risk 0.00cvss —epss 0.01
Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page.
- CVE-2024-54960Feb 20, 2025risk 0.00cvss —epss 0.01
A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.
- CVE-2024-54959Feb 20, 2025risk 0.00cvss —epss 0.01
Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS).
- CVE-2024-54961Feb 20, 2025risk 0.00cvss —epss 0.02
Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users.
- CVE-2024-42898Jan 9, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.
- CVE-2023-48082Oct 14, 2024risk 0.00cvss —epss 0.02
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.
- CVE-2024-33775May 1, 2024risk 0.00cvss —epss 0.02
An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.
Page 4 of 7