Nagios Log Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Nagios Log Server.
By the Year
In 2026 there have been 0 vulnerabilities in Nagios Log Server. Last year, in 2025 Log Server had 19 security vulnerabilities published. Right now, Log Server is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 19 | 9.20 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 3 | 5.63 |
| 2020 | 1 | 0.00 |
| 2019 | 1 | 6.10 |
It may take a day or so for new Log Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nagios Log Server Security Vulnerabilities
Nagios Log Server <2026R1.0.1: LPE via sudo & FS perms
CVE-2025-34323
- November 17, 2025
Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combination of sudo misconfiguration and group-writable application directories. The 'www-data' user is a member of the 'nagios' group, which has write access to '/usr/local/nagioslogserver/scripts', while several scripts in this directory are owned by root and may be executed via sudo without a password. A local attacker running as 'www-data' can move one of these root-owned scripts to a backup name and create a replacement script with attacker-controlled content at the original path, then invoke it with sudo. This allows arbitrary commands to be executed with root privileges, providing full compromise of the underlying operating system.
Incorrect Permission Assignment for Critical Resource
Nagios Log Server 2026R1.0.1 Authenticated Command Injection via NL Queries
CVE-2025-34322
- November 17, 2025
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settingsincluding model selection and connection parametersare read from the global configuration and concatenated into a shell command that is executed via shell_exec() without proper input handling or command-line argument sanitation. An authenticated user with access to the 'Global Settings' page can supply crafted values in these fields to inject additional shell commands, resulting in arbitrary command execution as the 'www-data' user and compromise of the Log Server host.
Shell injection
XSS via Snapshots Page in Nagios Log Server <2.1.14
CVE-2023-7321
- October 30, 2025
Nagios Log Server versions prior to 2.1.14 are vulnerable to cross-site scripting (XSS) via the Snapshots Page. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victims browser within the application origin.
XSS
Nagios Log Server XSS via Create User
CVE-2023-7323
- October 30, 2025
Nagios Log Server versions prior to 2024R1 are vulnerable to cross-site scripting (XSS) via the Create User function. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
XSS
Nagios Log Server <2.1.6 XSS via User/Host Pages
CVE-2020-36858
- October 30, 2025
Nagios Log Server versions prior to 2.1.6 contain cross-site scripting (XSS) vulnerabilities via the web interface on the Create User, Edit User, and Manage Host Lists pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
XSS
Nagios Log Server Stored XSS via Username Injection
CVE-2024-58272
- October 30, 2025
Nagios Log Server <2024R1.3.2 Priv Esc via Email-Change Workflows
CVE-2025-34298
- October 30, 2025
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.
Improper Preservation of Permissions
Nagios Log Server <=2024R1.3.1: unvalidated dashboard ID leads to code execution
CVE-2025-34277
- October 30, 2025
Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process.
Code Injection
Nagios Log Server 2024R2.0.3: Default Dashboard Deletion Info Leakage
CVE-2025-34272
- October 30, 2025
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure.
Information Disclosure
Nagios Log Server <2024R2.0.3: Auth Bypass Allows Global Dashboard Deletion
CVE-2025-34273
- October 30, 2025
Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling lower-privileged users to remove dashboards that affect other users or the overall monitoring UI.
AuthZ
Nagios Log Server LPE (pre2024R1.0.2) CVE202458273
CVE-2024-58273
- October 30, 2025
Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host.
Incorrect Privilege Assignment
Nagios Log Server 2024R2.0.3: Logstash runs as root (privilege escalation)
CVE-2025-34274
- October 30, 2025
Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - the attacker could execute code with root privileges, resulting in full system compromise. The Logstash service has been altered to run as the lower-privileged 'nagios' user to reduce this risk associated with a network-facing service that can accept untrusted input or load third-party components.
Execution with Unnecessary Privileges
Nagios Log Server: API Auth Check Flaw CVE-2023-7322
CVE-2023-7322
- October 30, 2025
Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check could allow authenticated but non-privileged users to read or modify resources beyond their intended rights.
AuthZ
Nagios Log Server XSS before 1.4.2 in Dashboards
CVE-2016-15049
- October 30, 2025
Nagios Log Server versions prior to 1.4.2 are vulnerable to cross-site scripting (XSS) in the Dashboards section when rendering log entries in the Logs table. Untrusted log content was not safely encoded for the output context, allowing attacker-controlled data present in logs to execute script in the victims browser within the application origin.
XSS
Nagios Log Server <=2024R2.0.2 Cred Theft via Unencrypted Channel
CVE-2025-34271
- October 30, 2025
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network path can intercept credentials in transit. Captured credentials could allow the attacker to authenticate as a cluster node or service account, enabling further unauthorized access, lateral movement, or system compromise.
Cleartext Transmission of Sensitive Information
Nagios Log Server <2024R2.0.2 AD/LDAP Import Plaintext Password Leak
CVE-2025-34270
- October 30, 2025
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.
Cleartext Storage of Sensitive Information
Nagios Log Server < 2024R1.3.2: Authenticated Admin API Key Retrieval via get_users API
CVE-2025-44823
9.9 - Critical
- October 07, 2025
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Nagios Log Server <= 2024R1.3.2: Authenticated API can stop Elasticsearch
CVE-2025-44824
8.5 - High
- October 07, 2025
Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.
AuthZ
CVE-2025-29471: XSS in Nagios Log Server v2024R1.3.1 Email Field
CVE-2025-29471
- April 15, 2025
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter
CVE-2021-35479
5.4 - Medium
- July 30, 2021
Nagios Log Server before 2.1.9 contains Stored XSS in the custom column view for the alert history and audit log function through the affected pp parameter. This affects users who open a crafted link or third-party web page.
XSS
Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function
CVE-2021-35478
5.4 - Medium
- July 30, 2021
Nagios Log Server before 2.1.9 contains Reflected XSS in the dropdown box for the alert history and audit log function. All parameters used for filtering are affected. This affects users who open a crafted link or third-party web page.
XSS
Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter
CVE-2020-25385
6.1 - Medium
- January 20, 2021
Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page.
XSS
A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7
CVE-2020-16157
- July 30, 2020
A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu.
Nagios Log Server before 2.0.8
CVE-2019-15898
6.1 - Medium
- September 03, 2019
Nagios Log Server before 2.0.8 allows Reflected XSS via the username on the Login page.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nagios Log Server or by Nagios? Click the Watch button to subscribe.
