Detections
Analytics

Nagios XI < 2026R1.0.1 Multiple Vulnerabilities

high Nessus Plugin ID 299396

Synopsis

The remote host has a web application affected by multiple vulnerabilities.

Description

According to the self-reported version of Nagios XI, the remote host is affected by multiple vulnerabilities, including the following:

 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. (CVE-2026-2041)

 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. (CVE-2026-2042)

 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. (CVE-2026-2043)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Nagios XI 2026R1.0.1 or later.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-26-071/

https://www.zerodayinitiative.com/advisories/ZDI-26-072/

https://www.zerodayinitiative.com/advisories/ZDI-26-073/

https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/

Plugin Details

Severity: High

ID: 299396

File Name: nagiosxi_2026R1-0-1.nasl

Version: 1.2

Type: combined

Agent: unix

Family: CGI abuses

Published: 2/18/2026

Updated: 2/19/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-2041

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-2043

Vulnerability Information

CPE: cpe:/a:nagios:nagios_xi

Exploit Ease: No known exploits are available

Patch Publication Date: 2/12/2026

Vulnerability Publication Date: 2/12/2026

Reference Information

CVE: CVE-2026-2041, CVE-2026-2042, CVE-2026-2043