VYPR

Nagios

by Nagios

Source repositories

CVEs (124)

  • CVE-2021-37348Aug 13, 2021
    risk 0.01cvss epss 0.03

    Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.

  • CVE-2020-28648Nov 16, 2020
    risk 0.01cvss epss 0.06

    Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

  • CVE-2019-20139Dec 30, 2019
    risk 0.01cvss epss 0.26

    In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.

  • CVE-2018-15709Nov 14, 2018
    risk 0.01cvss epss 0.21

    Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.

  • CVE-2008-5027Nov 10, 2008
    risk 0.01cvss epss 0.07

    The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon.

  • CVE-2026-2041Feb 20, 2026
    risk 0.00cvss epss 0.75

    Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2026-2042Feb 20, 2026
    risk 0.00cvss epss 0.06

    Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists…

  • CVE-2025-67254Dec 29, 2025
    risk 0.00cvss epss 0.02

    NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php.

  • CVE-2025-67255Dec 29, 2025
    risk 0.00cvss epss 0.01

    In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.

  • CVE-2025-34288Dec 16, 2025
    risk 0.00cvss epss 0.02

    Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file…

  • CVE-2025-34227Sep 25, 2025
    risk 0.00cvss epss 0.26

    Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute…

  • CVE-2024-13986Aug 28, 2025
    risk 0.00cvss epss 0.02

    Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and…

  • CVE-2024-54957Feb 27, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.

  • CVE-2024-54958Feb 20, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page.

  • CVE-2024-54960Feb 20, 2025
    risk 0.00cvss epss 0.01

    A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.

  • CVE-2024-54959Feb 20, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS).

  • CVE-2024-54961Feb 20, 2025
    risk 0.00cvss epss 0.02

    Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users.

  • CVE-2024-42898Jan 9, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.

  • CVE-2023-48082Oct 14, 2024
    risk 0.00cvss epss 0.02

    Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

  • CVE-2024-33775May 1, 2024
    risk 0.00cvss epss 0.02

    An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

Page 4 of 7