VYPR
Vendor

Icinga

Products
10
CVEs
54
Across products
71
Status
Private

Products

10

Recent CVEs

54
View all 54 CVEs →
  • CVE-2017-16882HigNov 18, 2017
    risk 0.51cvss 7.8epss 0.00

    Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging…

  • CVE-2017-16933HigNov 24, 2017
    risk 0.46cvss 7.0epss 0.00

    etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.

  • CVE-2026-42224HigMay 8, 2026
    risk 0.42cvss 7.6epss 0.00

    ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared…

  • CVE-2025-27406HigMar 26, 2025
    risk 0.42cvss 7.6epss 0.00

    Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables…

  • CVE-2015-8010MedMar 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi.

  • CVE-2018-6536MedFeb 2, 2018
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for icinga2.pid modification…

  • CVE-2022-50942MedFeb 1, 2026
    risk 0.35cvss 5.4epss 0.00

    Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading…

  • CVE-2025-23203MedMar 26, 2025
    risk 0.29cvss 5.5epss 0.00

    Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.4 and 1.11.4 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the…

  • CVE-2024-41811LowAug 5, 2024
    risk 0.18cvss 3.9epss 0.00

    ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is…

  • CVE-2022-24716Mar 8, 2022
    risk 0.10cvss epss 0.89

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This…

  • CVE-2013-7108Jan 15, 2014
    risk 0.08cvss epss 0.60

    Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in…

  • CVE-2012-6096Jan 22, 2013
    risk 0.08cvss epss 0.66

    Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host…

  • CVE-2011-2179Jun 14, 2011
    risk 0.05cvss epss 0.26

    Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.

  • CVE-2022-24715Mar 8, 2022
    risk 0.04cvss epss 0.15

    Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved…

  • CVE-2026-24414Jan 29, 2026
    risk 0.00cvss epss 0.00

    The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read…

  • CVE-2026-24413Jan 29, 2026
    risk 0.00cvss epss 0.00

    Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including…

  • CVE-2025-61909Oct 16, 2025
    risk 0.00cvss epss 0.00

    Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file…

  • CVE-2025-61908Oct 16, 2025
    risk 0.00cvss epss 0.00

    Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that…

  • CVE-2025-61907Oct 16, 2025
    risk 0.00cvss epss 0.00

    Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to…

  • CVE-2025-61789Oct 16, 2025
    risk 0.00cvss epss 0.00

    Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to…