8.7
CVE-2020-36869 - Nagios XI < 5.7.5 SQL injection via SNMP Trap Interface Edit Page
Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized…
8.7
CVE-2016-15050 - Nagios XI < 5.2.4 SQL Injection in Notification Search
Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Suc…
9.2
CVE-2024-13996 - Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session ex…
5.1
CVE-2024-13993 - Nagios XI < 2024R1.1.2 Reflected XSS via Login Page on Older Browsers
Nagios XI versions prior to < 2024R1.1.2 are vulnerable to a reflected cross-site scripting (XSS) via the login page when accessed with older web browsers. Insufficient validation or escaping of user-supplied input reflected by the login page can allow an attacker to craft a malicious link that, wh…
5.1
CVE-2013-10071 - Nagios XI < 2012R1.6 Reflected XSS via Dashlet AJAX Load Functionality
Nagios XI versions prior to 2012R1.6 contain a reflected cross-site scripting (XSS) vulnerability in the dashboard dashlet AJAX load functionality. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's br…
9.4
CVE-2024-14008 - Nagios XI < 2024R1.3.2 RCE via WinRM Configuration Wizard
Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Succ…
9.4
CVE-2025-34286 - Nagios XI < 2026R1 RCE via Run Check Command in CCM
Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are exec…
9.4
CVE-2024-14003 - Nagios XI < 2024R1.2 RCE via NRDP Server Plugins
Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrar…
9.4
CVE-2025-34134 - Nagios XI < 2024R1.4.2 RCE via Business Process Intelligence (BPI)
Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfile and bpi_configfile) allow an authenticate…
7.3
CVE-2011-10035 - Nagios XI < 2011R1.9 Race Conditions in Crontab Install Scripts LPE
Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesys…