Search
Search Results (6 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34227 | 1 Nagios | 2 Nagios Xi, Xi | 2026-02-26 | 8.8 High |
| Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user. | ||||
| CVE-2024-13986 | 1 Nagios | 2 Nagios Xi, Xi | 2026-02-26 | 8.8 High |
| Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user. | ||||
| CVE-2025-34288 | 1 Nagios | 2 Nagios Xi, Xi | 2026-02-26 | 6.7 Medium |
| Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user. | ||||
| CVE-2025-56432 | 1 Nagios | 3 Nagios, Nagios Xi, Xi | 2025-09-09 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | ||||
| CVE-2012-10029 | 1 Nagios | 3 Nagios, Nagios Xi, Xi | 2025-08-06 | N/A |
| Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | ||||
| CVE-2023-48082 | 1 Nagios | 2 Nagios Xi, Xi | 2025-07-10 | 9.1 Critical |
| Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate. | ||||
Page 1 of 1.