XI
by Nagios
CVEs (129)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15714 | Med | 0.40 | 6.1 | 0.04 | Nov 14, 2018 | Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters. | ||
| CVE-2020-27991 | Med | 0.37 | 5.4 | 0.22 | Nov 16, 2020 | Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). | ||
| CVE-2019-20139 | Med | 0.37 | 5.4 | 0.26 | Dec 30, 2019 | In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | ||
| CVE-2021-26024 | Med | 0.36 | 5.3 | 0.19 | Feb 3, 2021 | The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account. | ||
| CVE-2024-42898 | Med | 0.35 | 5.4 | 0.01 | Jan 9, 2025 | A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page. | ||
| CVE-2023-51072 | Med | 0.35 | 5.4 | 0.01 | Feb 2, 2024 | A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows… | ||
| CVE-2018-17146 | Med | 0.35 | 5.4 | 0.04 | Jun 19, 2019 | A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page. | ||
| CVE-2018-17147 | Med | 0.31 | 4.8 | 0.03 | Jul 10, 2019 | Nagios XI before 5.5.4 has XSS in the auto login admin management page. | ||
| CVE-2022-29270 | Med | 0.28 | 4.3 | 0.02 | Jun 29, 2022 | In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address. | ||
| CVE-2013-6875 | 0.03 | — | 0.03 | Nov 26, 2013 | SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php. | |||
| CVE-2025-34288 | 0.00 | — | 0.02 | Dec 16, 2025 | Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file… | |||
| CVE-2021-47698 | 0.00 | — | 0.00 | Nov 3, 2025 | Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary… | |||
| CVE-2024-13997 | 0.00 | — | 0.01 | Nov 3, 2025 | Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level… | |||
| CVE-2024-13998 | 0.00 | — | 0.01 | Nov 3, 2025 | Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to… | |||
| CVE-2024-13992 | 0.00 | — | 0.01 | Oct 31, 2025 | Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied… | |||
| CVE-2011-10037 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute… | |||
| CVE-2021-47697 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2018-25121 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2013-10074 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2011-10040 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the… |
- risk 0.40cvss 6.1epss 0.04
Nagios XI 5.5.6 allows reflected cross site scripting from remote unauthenticated attackers via the oname and oname2 parameters.
- risk 0.37cvss 5.4epss 0.22
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
- risk 0.37cvss 5.4epss 0.26
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
- risk 0.36cvss 5.3epss 0.19
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account.
- risk 0.35cvss 5.4epss 0.01
A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows…
- risk 0.35cvss 5.4epss 0.04
A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 via the 'name' parameter within the Account Information page. Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the auto login admin management page.
- risk 0.31cvss 4.8epss 0.03
Nagios XI before 5.5.4 has XSS in the auto login admin management page.
- risk 0.28cvss 4.3epss 0.02
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
- CVE-2013-6875Nov 26, 2013risk 0.03cvss —epss 0.03
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
- CVE-2025-34288Dec 16, 2025risk 0.00cvss —epss 0.02
Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file…
- CVE-2021-47698Nov 3, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary…
- CVE-2024-13997Nov 3, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level…
- CVE-2024-13998Nov 3, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to…
- CVE-2024-13992Oct 31, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied…
- CVE-2011-10037Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…
- CVE-2021-47697Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2018-25121Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2013-10074Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2011-10040Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the…
Page 3 of 7