Nagios Xi
Vulnerabilities
194
Known exploited
4
Max CVSS
9.8
Top EPSS
0.96861
Severity breakdown
Critical
32
High
70
Medium
92
Low
0
Affected version ranges
5.11.0–5.11.25.2.0–5.2.95.2.0–5.4.135.5.6–5.7.55.6.0–5.7.3< 2012< 2014< 2024< 2024r1.3.2< 2026< 5.11.2< 5.11.3< 5.2.4< 5.4.13< 5.5.11< 5.5.4< 5.5.7< 5.5.8< 5.6.11< 5.6.14< 5.6.6< 5.7< 5.7.2< 5.7.3
Also matched as (raw): favorites,fusion,nagios_xi
Top vulnerabilities
CVE-2024-33775An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.
CVE-2024-24402An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
CVE-2024-24401SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
CVE-2023-48085Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
CVE-2023-48084Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
CVE-2022-38250Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.
CVE-2021-37350Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
CVE-2021-36366Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
CVE-2021-36365Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
CVE-2021-36364Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
CVE-2021-36363Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
CVE-2021-3193Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
CVE-2020-28910Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
CVE-2020-28900Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
CVE-2020-15903An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
CVE-2019-9165SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
CVE-2019-12279Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck
CVE-2018-8734SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
CVE-2018-8733Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
CVE-2018-15708Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
CVE-2025-34286Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system.
CVE-2025-34284Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system.
CVE-2025-34134Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfile and bpi_configfile) allow an authenticated administrative user to cause the product to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor. When such files carry executable extensions and are served by the web application, arbitrary code may be executed in the context of the web application user. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain further control of the underlying host operating system.
CVE-2024-14009Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this vulnerability to execute actions on the underlying XI host outside the application's security scope. Successful exploitation may allow an administrator to obtain root privileges on the XI server.
CVE-2024-14008Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user.