Nagios: Security Vulnerabilities
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack.
CVSS Score
8.6
EPSS Score
0.021
Published
2025-10-27
A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack.
CVSS Score
7.6
EPSS Score
0.003
Published
2025-10-27
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
CVSS Score
9.9
EPSS Score
0.004
Published
2025-10-07
Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.
CVSS Score
8.5
EPSS Score
0.002
Published
2025-10-07
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.
CVSS Score
8.8
EPSS Score
0.014
Published
2025-09-25
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
CVSS Score
8.8
EPSS Score
0.011
Published
2025-08-28
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
CVSS Score
6.1
EPSS Score
0.005
Published
2025-08-26
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-04-18
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
CVSS Score
8.3
EPSS Score
0.071
Published
2025-04-15
A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability.
CVSS Score
4.6
EPSS Score
0.001
Published
2025-04-01