VYPR

Vendor CVEs

Nagios

All CVEs

293 total · sorted by risk
  • CVE-2025-34273Oct 30, 2025
    risk 0.00cvss epss 0.01

    Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling…

  • CVE-2024-58273Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host.

  • CVE-2025-34274Oct 30, 2025
    risk 0.00cvss epss 0.02

    Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin,…

  • CVE-2023-7322Oct 30, 2025
    risk 0.00cvss epss 0.01

    Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect…

  • CVE-2016-15049Oct 30, 2025
    risk 0.00cvss epss 0.00

    Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs…

  • CVE-2025-34271Oct 30, 2025
    risk 0.00cvss epss 0.01

    Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker…

  • CVE-2025-34270Oct 30, 2025
    risk 0.00cvss epss 0.01

    Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface,…

  • CVE-2025-44824Oct 7, 2025
    risk 0.00cvss epss 0.03

    Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is…

  • CVE-2025-44823Oct 7, 2025
    risk 0.00cvss epss 0.16

    Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

  • CVE-2025-34227Sep 25, 2025
    risk 0.00cvss epss 0.26

    Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute…

  • CVE-2024-13986Aug 28, 2025
    risk 0.00cvss epss 0.02

    Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and…

  • CVE-2025-56432Aug 26, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for…

  • CVE-2025-28059Apr 18, 2025
    risk 0.00cvss epss 0.01

    An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active…

  • CVE-2025-28132Apr 1, 2025
    risk 0.00cvss epss 0.00

    A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid…

  • CVE-2025-28131Apr 1, 2025
    risk 0.00cvss epss 0.00

    A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization…

  • CVE-2024-54957Feb 27, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.

  • CVE-2024-54961Feb 20, 2025
    risk 0.00cvss epss 0.02

    Nagios XI 2024R1.2.2 has an Information Disclosure vulnerability, which allows unauthenticated users to access multiple pages displaying the usernames and email addresses of all current users.

  • CVE-2024-54959Feb 20, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack through the Favorites component, enabling POST-based Cross-Site Scripting (XSS).

  • CVE-2024-54960Feb 20, 2025
    risk 0.00cvss epss 0.01

    A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.

  • CVE-2024-54958Feb 20, 2025
    risk 0.00cvss epss 0.01

    Nagios XI 2024R1.2.2 is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the Tools page. This flaw allows an attacker to inject malicious scripts into the Tools interface, which are then stored and executed in the context of other users accessing the page.

  • CVE-2024-42898Jan 9, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in Nagios XI 2024R1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page.

  • CVE-2023-48082Oct 14, 2024
    risk 0.00cvss epss 0.02

    Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate.

  • CVE-2024-43199Aug 7, 2024
    risk 0.00cvss epss 0.01

    Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user.

  • CVE-2024-33775May 1, 2024
    risk 0.00cvss epss 0.02

    An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.

  • CVE-2023-51072Feb 2, 2024
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section. This allows…

  • CVE-2021-43584Jan 24, 2024
    risk 0.00cvss epss 0.01

    DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log.

  • CVE-2023-40934Sep 19, 2023
    risk 0.00cvss epss 0.06

    A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.

  • CVE-2023-40932Sep 19, 2023
    risk 0.00cvss epss 0.02

    A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the…

  • CVE-2020-23992Aug 22, 2023
    risk 0.00cvss epss 0.02

    Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.

  • CVE-2021-31575Feb 6, 2023
    risk 0.00cvss epss 0.02

    In Config Manager, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID:…

  • CVE-2021-31574Feb 6, 2023
    risk 0.00cvss epss 0.02

    In Config Manager, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID:…

  • CVE-2022-32664Jan 3, 2023
    risk 0.00cvss epss 0.01

    In Config Manager, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Patch ID: A20220004; Issue ID: OSBNB00140929.

  • CVE-2021-4285Dec 27, 2022
    risk 0.00cvss epss 0.02

    A vulnerability classified as problematic was found in Nagios NCPA. This vulnerability affects unknown code of the file agent/listener/templates/tail.html. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. Upgrading to…

  • CVE-2022-29272Jun 29, 2022
    risk 0.00cvss epss 0.04

    In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.

  • CVE-2022-29271Jun 29, 2022
    risk 0.00cvss epss 0.02

    In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks.

  • CVE-2022-29270Jun 29, 2022
    risk 0.00cvss epss 0.02

    In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.

  • CVE-2022-29269Jun 29, 2022
    risk 0.00cvss epss 0.03

    In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.

  • CVE-2021-40343Oct 26, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.

  • CVE-2021-37223Oct 5, 2021
    risk 0.00cvss epss 0.08

    Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the…

  • CVE-2021-36365Sep 28, 2021
    risk 0.00cvss epss 0.04

    Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

  • CVE-2021-36363Sep 28, 2021
    risk 0.00cvss epss 0.04

    Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

  • CVE-2021-37345Aug 13, 2021
    risk 0.00cvss epss 0.01

    Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.

  • CVE-2021-37347Aug 13, 2021
    risk 0.00cvss epss 0.01

    Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.

  • CVE-2021-37349Aug 13, 2021
    risk 0.00cvss epss 0.01

    Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitise input read from the database.

  • CVE-2021-37351Aug 13, 2021
    risk 0.00cvss epss 0.03

    Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.

  • CVE-2021-37352Aug 13, 2021
    risk 0.00cvss epss 0.06

    An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

  • CVE-2021-37353Aug 13, 2021
    risk 0.00cvss epss 0.03

    Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php.

  • CVE-2020-28910May 24, 2021
    risk 0.00cvss epss 0.04

    Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.

  • CVE-2020-28906May 24, 2021
    risk 0.00cvss epss 0.05

    Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.

  • CVE-2020-28900May 24, 2021
    risk 0.00cvss epss 0.02

    Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.

Page 5 of 6