Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and mis
Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to
Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The script performed profile retrieval and initialization routines using insecure fil
Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-
Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting (XSS) via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of us
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations o
Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input
Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration da
Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials
In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.
Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability
Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request param
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.6 / Nagios XI 5.8.8 contains a cross-site scripting (XSS) vulnerability via the search and deletion interfaces. Insufficient valida
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple cross-site scripting (XSS) vulnerabilities in the object edit pages. Insufficient validation
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have ac
Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by ww
Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to incl
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is no
Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compr
Nagios XI versions prior to 5.5.7 contain a privilege escalation vulnerability in the MRTG graphing component. MRTG-related processes/scripts executed with excessive privileges, allowing a local attac