Vendor CVEs
Nagios
All CVEs
293 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-6586 | 0.01 | — | 0.27 | Mar 16, 2020 | Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered. | |||
| CVE-2019-20139 | 0.01 | — | 0.26 | Dec 30, 2019 | In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user. | |||
| CVE-2019-9167 | 0.01 | — | 0.22 | Mar 28, 2019 | Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter. | |||
| CVE-2019-9165 | 0.01 | — | 0.05 | Mar 28, 2019 | SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id. | |||
| CVE-2018-15709 | 0.01 | — | 0.21 | Nov 14, 2018 | Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request. | |||
| CVE-2008-5027 | 0.01 | — | 0.07 | Nov 10, 2008 | The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon. | |||
| CVE-2026-2041 | 0.00 | — | 0.75 | Feb 20, 2026 | Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific… | |||
| CVE-2026-2043 | 0.00 | — | 0.74 | Feb 20, 2026 | Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The… | |||
| CVE-2026-2042 | 0.00 | — | 0.06 | Feb 20, 2026 | Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists… | |||
| CVE-2025-67254 | 0.00 | — | 0.02 | Dec 29, 2025 | NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. | |||
| CVE-2025-67255 | 0.00 | — | 0.01 | Dec 29, 2025 | In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | |||
| CVE-2025-34288 | 0.00 | — | 0.02 | Dec 16, 2025 | Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file… | |||
| CVE-2025-34323 | 0.00 | — | 0.00 | Nov 17, 2025 | Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to… | |||
| CVE-2025-34322 | 0.00 | — | 0.05 | Nov 17, 2025 | Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection… | |||
| CVE-2021-47698 | 0.00 | — | 0.00 | Nov 3, 2025 | Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary… | |||
| CVE-2024-13997 | 0.00 | — | 0.01 | Nov 3, 2025 | Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level… | |||
| CVE-2024-13998 | 0.00 | — | 0.01 | Nov 3, 2025 | Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to… | |||
| CVE-2024-13992 | 0.00 | — | 0.01 | Oct 31, 2025 | Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied… | |||
| CVE-2011-10037 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute… | |||
| CVE-2021-47697 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2018-25121 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2013-10074 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2011-10040 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the… | |||
| CVE-2016-15051 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script… | |||
| CVE-2011-10038 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of… | |||
| CVE-2021-47695 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2016-15053 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a… | |||
| CVE-2016-15052 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2020-36866 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2023-7316 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2023-7315 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2024-14001 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2020-36864 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2023-7318 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2024-14000 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2023-7313 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2020-36865 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and… | |||
| CVE-2021-47696 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2023-7314 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2011-10036 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a… | |||
| CVE-2011-10039 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute… | |||
| CVE-2021-47699 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2023-53688 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that… | |||
| CVE-2023-7317 | 0.00 | — | 0.02 | Oct 30, 2025 | Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command… | |||
| CVE-2020-36863 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the… | |||
| CVE-2020-36862 | 0.00 | — | 0.01 | Oct 30, 2025 | Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch… | |||
| CVE-2022-50587 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2022-50586 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's… | |||
| CVE-2022-50588 | 0.00 | — | 0.00 | Oct 30, 2025 | Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | |||
| CVE-2020-36869 | 0.00 | — | 0.02 | Oct 30, 2025 | Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is… |
- CVE-2020-6586Mar 16, 2020risk 0.01cvss —epss 0.27
Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered.
- CVE-2019-20139Dec 30, 2019risk 0.01cvss —epss 0.26
In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgroup, or servicegroup parameter, or the schedulereport.php hour or frequency parameter. Any authenticated user can attack the admin user.
- CVE-2019-9167Mar 28, 2019risk 0.01cvss —epss 0.22
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.
- CVE-2019-9165Mar 28, 2019risk 0.01cvss —epss 0.05
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
- CVE-2018-15709Nov 14, 2018risk 0.01cvss —epss 0.21
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
- CVE-2008-5027Nov 10, 2008risk 0.01cvss —epss 0.07
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon.
- CVE-2026-2041Feb 20, 2026risk 0.00cvss —epss 0.75
Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific…
- CVE-2026-2043Feb 20, 2026risk 0.00cvss —epss 0.74
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The…
- CVE-2026-2042Feb 20, 2026risk 0.00cvss —epss 0.06
Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists…
- CVE-2025-67254Dec 29, 2025risk 0.00cvss —epss 0.02
NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php.
- CVE-2025-67255Dec 29, 2025risk 0.00cvss —epss 0.01
In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.
- CVE-2025-34288Dec 16, 2025risk 0.00cvss —epss 0.02
Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file…
- CVE-2025-34323Nov 17, 2025risk 0.00cvss —epss 0.00
Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to…
- CVE-2025-34322Nov 17, 2025risk 0.00cvss —epss 0.05
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection…
- CVE-2021-47698Nov 3, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary…
- CVE-2024-13997Nov 3, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level…
- CVE-2024-13998Nov 3, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to…
- CVE-2024-13992Oct 31, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied…
- CVE-2011-10037Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…
- CVE-2021-47697Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2018-25121Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2013-10074Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2011-10040Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the…
- CVE-2016-15051Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script…
- CVE-2011-10038Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of…
- CVE-2021-47695Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2016-15053Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a…
- CVE-2016-15052Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2020-36866Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2023-7316Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2023-7315Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2024-14001Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2020-36864Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2023-7318Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2024-14000Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2023-7313Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2020-36865Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and…
- CVE-2021-47696Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2023-7314Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2011-10036Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a…
- CVE-2011-10039Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…
- CVE-2021-47699Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log page’s Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2023-53688Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that…
- CVE-2023-7317Oct 30, 2025risk 0.00cvss —epss 0.02
Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command…
- CVE-2020-36863Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the…
- CVE-2020-36862Oct 30, 2025risk 0.00cvss —epss 0.01
Nagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch…
- CVE-2022-50587Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2022-50586Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's…
- CVE-2022-50588Oct 30, 2025risk 0.00cvss —epss 0.00
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
- CVE-2020-36869Oct 30, 2025risk 0.00cvss —epss 0.02
Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is…
Page 3 of 6