Home

Description

Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

PUBLISHED Reserved 2025-10-28 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version before 5.2.4
affected

References

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...s/nagios-xi-sqli-in-notification-search third-party-advisory

cve.org (CVE-2016-15050)

nvd.nist.gov (CVE-2016-15050)

Download JSON