Nagios
Nagios is an open-source network and infrastructure monitoring system. It monitors hosts, services, and network devices, sending alerts when components fail and again when they recover. Originally written by Ethan Galstad in 1999 as NetSaint, it was renamed Nagios in 2002 after a trademark dispute. The name is a recursive acronym: "Nagios Ain't Gonna Insist On Sainthood."
Products
25- 124 CVEs
- 115 CVEs
- 26 CVEs
- 15 CVEs
- 14 CVEs
- 9 CVEs
- 8 CVEs
- 8 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
293| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8734 | Cri | 0.71 | 9.8 | 0.53 | Apr 18, 2018 | SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. | ||
| CVE-2018-8733 | Cri | 0.69 | 9.8 | 0.28 | Apr 18, 2018 | Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability. | ||
| CVE-2016-9565 | Cri | 0.69 | 9.8 | 0.23 | Dec 15, 2016 | MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2018-8735 | Hig | 0.65 | 8.8 | 0.64 | Apr 18, 2018 | Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. | ||
| CVE-2023-53948 | Cri | 0.64 | 9.8 | 0.01 | Dec 19, 2025 | Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a… | ||
| CVE-2012-10029 | Hig | 0.64 | — | 0.03 | Aug 5, 2025 | Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | ||
| CVE-2018-8736 | Hig | 0.64 | 8.8 | 0.47 | Apr 18, 2018 | A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. | ||
| CVE-2016-0726 | Cri | 0.64 | 9.8 | 0.02 | Jun 6, 2017 | The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. | ||
| CVE-2008-7313 | Cri | 0.64 | 9.8 | 0.05 | Mar 31, 2017 | The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | ||
| CVE-2014-5009 | Cri | 0.57 | 9.8 | 0.05 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | ||
| CVE-2016-9566 | Hig | 0.54 | 7.8 | 0.05 | Dec 15, 2016 | base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565. | ||
| CVE-2017-14312 | Hig | 0.51 | 7.8 | 0.00 | Sep 11, 2017 | Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging… | ||
| CVE-2016-10089 | Hig | 0.51 | 7.8 | 0.01 | Feb 15, 2017 | Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. | ||
| CVE-2018-10738 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. | ||
| CVE-2018-10737 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter. | ||
| CVE-2018-10736 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter. | ||
| CVE-2018-10735 | Hig | 0.50 | 7.2 | 0.43 | May 16, 2018 | A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter. | ||
| CVE-2023-37154 | Hig | 0.48 | 8.4 | 0.00 | Oct 9, 2024 | check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior. | ||
| CVE-2018-10553 | Med | 0.45 | 6.5 | 0.39 | Apr 30, 2018 | An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings. | ||
| CVE-2017-12847 | Med | 0.41 | 6.3 | 0.01 | Aug 23, 2017 | Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill… |
- risk 0.71cvss 9.8epss 0.53
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
- risk 0.69cvss 9.8epss 0.28
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
- risk 0.69cvss 9.8epss 0.23
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.65cvss 8.8epss 0.64
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
- risk 0.64cvss 9.8epss 0.01
Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a…
- risk 0.64cvss —epss 0.03
Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.
- risk 0.64cvss 8.8epss 0.47
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
- risk 0.64cvss 9.8epss 0.02
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
- risk 0.64cvss 9.8epss 0.05
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
- risk 0.57cvss 9.8epss 0.05
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
- risk 0.54cvss 7.8epss 0.05
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
- risk 0.51cvss 7.8epss 0.00
Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging…
- risk 0.51cvss 7.8epss 0.01
Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.
- risk 0.50cvss 7.2epss 0.43
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.
- risk 0.48cvss 8.4epss 0.00
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior.
- risk 0.45cvss 6.5epss 0.39
An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.
- risk 0.41cvss 6.3epss 0.01
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill…