Filtered by vendor Nagios
Subscriptions
Total
302 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2011-10036 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 5.4 Medium |
| Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2011-10035 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 7.0 High |
| Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges. | ||||
| CVE-2024-13999 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems. | ||||
| CVE-2024-58272 | 1 Nagios | 1 Log Server | 2025-11-10 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2023-7323. | ||||
| CVE-2016-15054 | 1 Nagios | 1 Xi | 2025-11-10 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a downstream effect of an already identified vulnerability, CVE-2012-6708. | ||||
| CVE-2025-34269 | 1 Nagios | 1 Fusion | 2025-11-07 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2025-60424. | ||||
| CVE-2025-34249 | 1 Nagios | 1 Fusion | 2025-11-07 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2025-60425. | ||||
| CVE-2025-44823 | 1 Nagios | 1 Log Server | 2025-11-06 | 9.9 Critical |
| Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475. | ||||
| CVE-2025-44824 | 1 Nagios | 1 Log Server | 2025-11-06 | 8.5 High |
| Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474. | ||||
| CVE-2019-15949 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | 8.8 High |
| Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root. | ||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | 7.6 High |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | ||||
| CVE-2025-60425 | 1 Nagios | 1 Fusion | 2025-11-05 | 8.6 High |
| Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack. | ||||
| CVE-2021-25296 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 8.8 High |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | ||||
| CVE-2021-25297 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 8.8 High |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | ||||
| CVE-2021-25298 | 1 Nagios | 1 Nagios Xi | 2025-11-03 | 8.8 High |
| Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. | ||||
| CVE-2021-47692 | 1 Nagios | 1 Xi | 2025-10-31 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. It has been identified as a duplicate of https://www.cve.org/CVERecord?id=CVE-2021-33179 . | ||||
| CVE-2025-56432 | 1 Nagios | 3 Nagios, Nagios Xi, Xi | 2025-09-09 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | ||||
| CVE-2025-28131 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 4.6 Medium |
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | ||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 7.5 High |
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | ||||
| CVE-2023-48082 | 1 Nagios | 2 Nagios Xi, Xi | 2025-07-10 | 9.1 Critical |
| Nagios XI before 2024R1 was discovered to improperly handle API keys generation (randomly-generated), allowing attackers to possibly generate the same set of API keys for all users and utilize them to authenticate. | ||||