VYPR

Vendor CVEs

Nagios

All CVEs

293 total · sorted by risk
  • CVE-2018-8734CriApr 18, 2018
    risk 0.71cvss 9.8epss 0.53

    SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

  • CVE-2018-8733CriApr 18, 2018
    risk 0.69cvss 9.8epss 0.28

    Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

  • CVE-2016-9565CriDec 15, 2016
    risk 0.69cvss 9.8epss 0.23

    MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for…

  • CVE-2018-8735HigApr 18, 2018
    risk 0.65cvss 8.8epss 0.64

    Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

  • CVE-2023-53948CriDec 19, 2025
    risk 0.64cvss 9.8epss 0.01

    Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a…

  • CVE-2012-10029HigAug 5, 2025
    risk 0.64cvss epss 0.03

    Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.

  • CVE-2018-8736HigApr 18, 2018
    risk 0.64cvss 8.8epss 0.47

    A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

  • CVE-2016-0726CriJun 6, 2017
    risk 0.64cvss 9.8epss 0.02

    The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.

  • CVE-2008-7313CriMar 31, 2017
    risk 0.64cvss 9.8epss 0.05

    The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.

  • CVE-2014-5009CriMar 31, 2017
    risk 0.57cvss 9.8epss 0.05

    Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.

  • CVE-2016-9566HigDec 15, 2016
    risk 0.54cvss 7.8epss 0.05

    base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.

  • CVE-2017-14312HigSep 11, 2017
    risk 0.51cvss 7.8epss 0.00

    Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging…

  • CVE-2016-10089HigFeb 15, 2017
    risk 0.51cvss 7.8epss 0.01

    Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.

  • CVE-2018-10738HigMay 16, 2018
    risk 0.50cvss 7.2epss 0.43

    A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.

  • CVE-2018-10737HigMay 16, 2018
    risk 0.50cvss 7.2epss 0.43

    A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter.

  • CVE-2018-10736HigMay 16, 2018
    risk 0.50cvss 7.2epss 0.43

    A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/info.php key1 parameter.

  • CVE-2018-10735HigMay 16, 2018
    risk 0.50cvss 7.2epss 0.43

    A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/commandline.php cname parameter.

  • CVE-2023-37154HigOct 9, 2024
    risk 0.48cvss 8.4epss 0.00

    check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior.

  • CVE-2018-10553MedApr 30, 2018
    risk 0.45cvss 6.5epss 0.39

    An issue was discovered in Nagios XI 5.4.13. A registered user is able to use directory traversal to read local files, as demonstrated by URIs beginning with index.php?xiwindow=./ and config/?xiwindow=../ substrings.

  • CVE-2017-12847MedAug 23, 2017
    risk 0.41cvss 6.3epss 0.01

    Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill…

  • CVE-2025-44002MedAug 26, 2025
    risk 0.40cvss 6.1epss 0.00

    Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link…

  • CVE-2016-8641MedAug 1, 2018
    risk 0.40cvss 6.7epss 0.01

    A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and…

  • CVE-2018-12501MedJun 16, 2018
    risk 0.40cvss 6.1epss 0.02

    Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335.

  • CVE-2015-3618MedFeb 6, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.

  • CVE-2016-6209MedMar 31, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Nagios.

  • CVE-2018-13458MedJul 12, 2018
    risk 0.39cvss 5.5epss 0.05

    qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

  • CVE-2018-13457MedJul 12, 2018
    risk 0.39cvss 5.5epss 0.05

    qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

  • CVE-2018-13441MedJul 12, 2018
    risk 0.39cvss 5.5epss 0.01

    qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attacker to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

  • CVE-2018-10554MedApr 30, 2018
    risk 0.35cvss 5.4epss 0.03

    An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages…

  • CVE-2026-6342MedMay 18, 2026
    risk 0.28cvss 4.3epss 0.00

    Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost…

  • CVE-2021-25296KEVFeb 15, 2021
    risk 0.22cvss epss 0.72

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which…

  • CVE-2021-25297KEVFeb 15, 2021
    risk 0.22cvss epss 0.43

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead…

  • CVE-2019-15949KEVSep 5, 2019
    risk 0.22cvss epss 0.78

    Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is…

  • CVE-2021-25298KEVFeb 15, 2021
    risk 0.21cvss epss 0.75

    Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can…

  • CVE-2021-37343Aug 13, 2021
    risk 0.10cvss epss 0.24

    A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

  • CVE-2020-35578Jan 13, 2021
    risk 0.10cvss epss 0.82

    An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

  • CVE-2020-5791Oct 20, 2020
    risk 0.10cvss epss 0.79

    Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

  • CVE-2018-15708Nov 14, 2018
    risk 0.10cvss epss 0.89

    Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

  • CVE-2009-2288Jul 1, 2009
    risk 0.10cvss epss 0.83

    statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.

  • CVE-2020-5792Oct 20, 2020
    risk 0.09cvss epss 0.61

    Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

  • CVE-2018-15710Nov 14, 2018
    risk 0.09cvss epss 0.44

    Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

  • CVE-2013-7108Jan 15, 2014
    risk 0.08cvss epss 0.60

    Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in…

  • CVE-2013-1362Jul 9, 2013
    risk 0.08cvss epss 0.66

    Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

  • CVE-2012-6096Jan 22, 2013
    risk 0.08cvss epss 0.66

    Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host…

  • CVE-2023-48084Dec 14, 2023
    risk 0.07cvss epss 0.34

    Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

  • CVE-2023-40931Sep 19, 2023
    risk 0.07cvss epss 0.13

    A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

  • CVE-2021-38156Sep 15, 2021
    risk 0.07cvss epss 0.89

    In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.

  • CVE-2021-25299Feb 15, 2021
    risk 0.07cvss epss 0.97

    Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to…

  • CVE-2021-40344Oct 26, 2021
    risk 0.06cvss epss 0.66

    An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote…

  • CVE-2021-40345Oct 26, 2021
    risk 0.06cvss epss 0.23

    An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.

Page 1 of 6