Nagios Fusion versions prior to 4.0.1 are vulnerable to cross-site scripting (XSS) via the Users and Servers pages. Insufficient validation or escaping of user-supplied input may allow an attacker to
Nagios XI versions prior to 5.7.2 are vulnerable to cross-site scripting (XSS) via the BPI (Business Process Intelligence) component’s Config Management and Edit Config page. Insufficient validation o
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain
Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in u
Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compr
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.7 / Nagios XI 5.8.9 contains a cross-site scripting (XSS) vulnerability via the Audit Log page search input. Insufficient validatio
Nagios XI versions prior to 5.8.9 are vulnerable to cross-site scripting (XSS) via the Apply Configuration error text. Insufficient validation or escaping of user-supplied input may allow an attacker
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext pa
A SQL Injection vulnerability in Nagios XI 2024R1.2.2 allows a remote attacker to execute SQL injection via a crafted payload in the History Tab component.
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is no
Nagios Fusion versions prior to 4.2.0 contain a reflected cross-site scripting (XSS) vulnerability in the license key configuration flow that can result in execution of attacker-controlled script in t
Nagios Fusion versions prior to 4.1.5 are vulnerable to cross-site scripting (XSS) via the "fusionwindow" parameter. Insufficient validation or escaping of user-supplied input may allow an attacker to
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.4 / Nagios XI 5.8.6 contains a reflected cross-site scripting (XSS) vulnerability via the Test Command functionality. Insufficient
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementa
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.8 / Nagios XI 5.7.5 contains multiple cross-site scripting (XSS) vulnerabilities in the overlay UI elements and the Notification/Ch
Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled i
Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient valid
Nagios XI versions prior to < 2024R1.1 is vulnerable to a cross-site scripting (XSS) when a user visits the "missing page" (404) page after following a link from another website. The vulnerable compon
Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backe