Nagios
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Nagios product.
RSS Feeds for Nagios security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Nagios products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Nagios Sorted by Most Security Vulnerabilities since 2018
Known Exploited Nagios Vulnerabilities
The following Nagios vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Nagios XI OS Command Injection |
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. CVE-2021-25296 Exploit Probability: 93.6% |
January 18, 2022 |
| Nagios XI OS Command Injection |
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. CVE-2021-25297 Exploit Probability: 79.9% |
January 18, 2022 |
| Nagios XI OS Command Injection |
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. CVE-2021-25298 Exploit Probability: 75.5% |
January 18, 2022 |
| Nagios XI Remote Code Execution Vulnerability |
The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user CVE-2019-15949 Exploit Probability: 87.1% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2021-25298: Nagios XI OS Command Injection is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 3 vulnerabilities in Nagios. Last year, in 2025 Nagios had 122 security vulnerabilities published. Right now, Nagios is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 0.00 |
| 2025 | 122 | 8.67 |
| 2024 | 7 | 6.95 |
| 2023 | 7 | 7.66 |
| 2022 | 11 | 6.11 |
| 2021 | 49 | 8.09 |
| 2020 | 22 | 7.12 |
| 2019 | 15 | 6.98 |
| 2018 | 25 | 7.40 |
It may take a day or so for new Nagios vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nagios Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-2041 | Feb 20, 2026 |
Nagios Host zabbixagent_configwizard_func Cmd Injection VulnerabilityNagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250. |
|
| CVE-2026-2043 | Feb 20, 2026 |
Nagios Host: esensors Command Injection RCE (Auth Req)Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249. |
|
| CVE-2026-2042 | Feb 20, 2026 |
Nagios Monitoringwizard Cmd Injection RCENagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245. |
|
| CVE-2025-34288 | Dec 16, 2025 |
Nagios XI Local Privilege Escalation in Maintenance Script (before 2026R1.1)Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A useraccessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lowerprivileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user. |
Nagios Xi
|
| CVE-2025-34323 | Nov 17, 2025 |
Nagios Log Server <2026R1.0.1: LPE via sudo & FS permsNagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to '/usr/local/nagioslogserver/scripts', while several scripts in this directory are owned by root and may be executed via sudo without a password. A local attacker running as 'www-data' can move one of these root-owned scripts to a backup name and create a replacement script with attacker-controlled content at the original path, then invoke it with sudo. This allows arbitrary commands to be executed with root privileges, providing full compromise of the underlying operating system. |
Log Server
|
| CVE-2025-34322 | Nov 17, 2025 |
Nagios Log Server 2026R1.0.1 Authenticated Command Injection via NL QueriesNagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settingsincluding model selection and connection parametersare read from the global configuration and concatenated into a shell command that is executed via shell_exec() without proper input handling or command-line argument sanitation. An authenticated user with access to the 'Global Settings' page can supply crafted values in these fields to inject additional shell commands, resulting in arbitrary command execution as the 'www-data' user and compromise of the Log Server host. |
Log Server
|
| CVE-2016-15054 | Nov 03, 2025 |
Nagios XI <5.4.0: XSS via jQuery Migrate |
Xi
Nagios Xi
|
| CVE-2021-47698 | Nov 03, 2025 |
Nagios XI <5.8.7 XSS via Core UIs Views URL HandlingNagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UIs Views URL handling (escape_string()). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2024-13997 | Nov 03, 2025 |
Nagios XI <2024R1.1.3 - Priv Esc via Migrate ServerNagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system. |
Xi
Nagios Xi
|
| CVE-2024-13998 | Nov 03, 2025 |
Nagios XI <2024R1.1.3 Authenticated Sensitive Info Disclosure (API Keys/PW Hashes)Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions. |
Xi
Nagios Xi
|
| CVE-2024-13992 | Oct 31, 2025 |
Nagios XI <2024R1.1 XSS via page-missing.php: 404 XSS (CVE-2024-13992)Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable component, page-missing.php, fails to properly validate or escape user-supplied input, allowing an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victims browser within the Nagios XI domain. |
Xi
Nagios Xi
|
| CVE-2011-10037 | Oct 30, 2025 |
Nagios XI XSS via XiWindow handling in web interface prior to 2011R1.9Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of xiwindow variables used to build permalinks in the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2021-47697 | Oct 30, 2025 |
Nagios XI XSS via Views URL (v<5.8.0)Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via the Views feature URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2018-25121 | Oct 30, 2025 |
Nagios XI XSS via Views page pre5.4.13Nagios XI versions prior to 5.4.13 are vulnerable to cross-site scripting (XSS) via the Views page of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2013-10074 | Oct 30, 2025 |
XSS in Nagios XI <2012R2.6 via Tools MenuNagios XI versions prior to 2012R2.6 are vulnerable to cross-site scripting (XSS) via the Tools Menu of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2011-10040 | Oct 30, 2025 |
Nagios XI XSS via link-handling (2011R1.8)Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2016-15051 | Oct 30, 2025 |
Nagios XI <5.2.4 XSS via Reports startdate/enddateNagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2011-10038 | Oct 30, 2025 |
Nagios XI Recurring Downtime XSS (pre2011R1.9)Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2021-47695 | Oct 30, 2025 |
Nagios XI <5.8.0 Stored XSS via My Tools PageNagios XI versions prior to 5.8.0 are vulnerable to stored cross-site scripting (XSS) via the My Tools page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2016-15053 | Oct 30, 2025 |
Nagios XI <5.2.4 XSS via My Reports listNagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the My Reports listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2016-15052 | Oct 30, 2025 |
XSS in Nagios XI Menu Sys (<=5.2.4)Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Menu System of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2020-36866 | Oct 30, 2025 |
Nagios XI XSS via Manage Users page (pre-5.7.2)Nagios XI versions prior to 5.7.3 are vulnerable to cross-site scripting (XSS) via the Manage Users page of the Admin interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-7316 | Oct 30, 2025 |
Nagios XI XSS via Graph ExplorerNagios XI versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-7315 | Oct 30, 2025 |
XSS in Nagios XI Graph Explorer prior to 5.11.3Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Graph Explorer component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2024-14001 | Oct 30, 2025 |
Nagios XI XSS via Executive Summary Report (2024R1.1.3)Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Executive Summary Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2020-36864 | Oct 30, 2025 |
Nagios XI <5.7.2 XSS via Dashboard BG Color Settings (CVE202036864)Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the background color settings in Dashboards. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-7318 | Oct 30, 2025 |
Nagios XI <2024R1.0.2 XSS via Command ExpansionNagios XI versions prior to < 2024R1.0.2 are vulnerable to cross-site scripting (XSS) via the Nagios Core Command Expansion page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2024-14000 | Oct 30, 2025 |
Nagios XI XSS via Capacity Planning Report (2024R1.1.3)Nagios XI versions prior to 2024R1.1.3 are vulnerable to cross-site scripting (XSS) via the Capacity Planning Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-7313 | Oct 30, 2025 |
XSS in Nagios XI Bulk Modifications (5.11.3)Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bulk Modifications tool. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2020-36865 | Oct 30, 2025 |
Nagios XI XSS via BPI Config Management before 5.7.2Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) components Config Management and Edit Config page. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2021-47696 | Oct 30, 2025 |
Nagios XI XSS via BPI config ID before 5.8.0Nagios XI versions prior to 5.8.0 are vulnerable to cross-site scripting (XSS) via BPI config ID handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-7314 | Oct 30, 2025 |
Nagios XI <5.11.3 XSS via Bandwidth ReportNagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) via the Bandwidth Report component. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2011-10036 | Oct 30, 2025 |
Nagios XI <2011R1.9 XSS via backend_url linkNagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2011-10039 | Oct 30, 2025 |
Nagios XI <2011R1.9 - XSS via Alert Heatmap & My ReportsNagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the My Reports listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2021-47699 | Oct 30, 2025 |
XSS via Audit Log Send to NLS Form in Nagios XI <5.8.7Nagios XI versions prior to 5.8.7 are vulnerable to cross-site scripting (XSS) via the Audit Log pages Send to NLS form. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2023-53688 | Oct 30, 2025 |
Nagios XI <5.11.3 Hypermap Replay XSS/CSRFNagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions. |
Xi
Nagios Xi
|
| CVE-2023-7317 | Oct 30, 2025 |
Nagios XI Web SSH Terminal AC BypassNagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information. |
Xi
Nagios Xi
|
| CVE-2020-36863 | Oct 30, 2025 |
Nagios XI <5.7.2 RCE via PHP Upload in Audio Import dirNagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service. |
Xi
Nagios Xi
|
| CVE-2020-36862 | Oct 30, 2025 |
Nagios XI <5.6.11 XSS & SSRF via Highcharts exportNagios XI versions prior to 5.6.11 contain unauthenticated vulnerabilities in the Highcharts local exporting tool. Crafted export requests could (1) inject script into exported/returned content due to insufficient output encoding (XSS), and (2) cause the server to fetch attacker-specified URLs (SSRF), potentially accessing internal network resources. An unauthenticated remote attacker can leverage these issues to execute script in a user's browser when the exported content is viewed and to disclose sensitive information reachable from the export server via SSRF. |
Xi
Nagios Xi
|
| CVE-2022-50587 | Oct 30, 2025 |
XSS via Apply Config Error Text in Nagios XI <5.8.9Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2022-50586 | Oct 30, 2025 |
Nagios XI <5.8.9 XSS in BPI via info URLNagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the BPI component via the info URL field. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2022-50588 | Oct 30, 2025 |
Nagios XI <5.8.9: XSS via Update Check Feature (CVE-2022-50588)Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) in the update checking feature. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2020-36869 | Oct 30, 2025 |
SQLi in Nagios XI SNMP Trap edit (pre5.7.5) Admin privilege requiredNagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database. |
Xi
Nagios Xi
|
| CVE-2016-15050 | Oct 30, 2025 |
SQLi in Nagios XI <5.2.4 Notification Search (v5.2.4 fixed)Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. |
Xi
Nagios Xi
|
| CVE-2024-13996 | Oct 30, 2025 |
Nagios XI <2024R1.1.3: Session Expiration Failure on Passwd ChangeNagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change. |
Xi
Nagios Xi
|
| CVE-2024-13993 | Oct 30, 2025 |
Nagios XI <2024R1.1.2 Reflected XSS via login pageNagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victims browser within the Nagios XI origin. The issue is observable under legacy browser behaviors; modern browsers may mitigate some vectors. |
Xi
Nagios Xi
|
| CVE-2013-10071 | Oct 30, 2025 |
Reflected XSS in Nagios XI <2012R1.6 dashboard dashlet AjaxNagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. |
Xi
Nagios Xi
|
| CVE-2024-14008 | Oct 30, 2025 |
CVE-2024-14008: Nagios XI RCE via WinRM Config Wizard before 2024R1.3.2Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user. |
Xi
Nagios Xi
|
| CVE-2025-34286 | Oct 30, 2025 |
Nagios XI RCE: CCM Run Check Shell Injection (CVE-2025-34286)Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system. |
Xi
Nagios Xi
|
| CVE-2024-14003 | Oct 30, 2025 |
Nagios XI before 2024R1.2 RCE via NRDPNagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service. |
Xi
Nagios Xi
|