Description
Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245.
Published: 2026-02-20
Score: 8.8 High
EPSS: 5.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw resides in the monitoringwizard module of Nagios Host. The vulnerability is caused by sending a user‑supplied string directly to a system call without proper validation, classifying it as a CWE‑78 issue. An attacker who can authenticate to the Nagios web interface can send a crafted request that executes arbitrary commands in the context of the Nagios service account, enabling complete control over the host.

Affected Systems

The flaw appears in Nagios XI installations that include the monitoringwizard component, specifically the 2026r1 series. Any instance of Nagios XI 2026r1 running this module and not yet updated with a patch that removes the vulnerable code is affected. Versions outside that series are not known to be impacted by this specific issue, but no confirmatory data are available for other versions.

Risk and Exploitability

The CVSS score of 8.8 places this vulnerability in the high severity bracket, and the EPSS score of 6% indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Authentication is required, so the attacker must first acquire valid credentials or otherwise be able to submit authenticated requests to the monitoringwizard interface. The likely attack vector is a remote network request to the Nagios web interface where the injection is triggered via a crafted parameter. Given these factors, unpatched systems remain at significant risk if exposed to adversaries.

Generated by OpenCVE AI on June 17, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official Nagios XI update that removes the vulnerable monitoringwizard component
  • Disable or uninstall the monitoringwizard module if it is not required for your environment
  • Restrict access to the Nagios web interface to trusted IP ranges or enforce strict authentication policies

Generated by OpenCVE AI on June 17, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nagios nagios Xi
CPEs cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*
Vendors & Products Nagios nagios Xi
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nagios
Nagios host
Vendors & Products Nagios
Nagios host

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245.
Title Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nagios Host Nagios Xi
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:13.112Z

Reserved: 2026-02-06T01:14:31.431Z

Link: CVE-2026-2042

cve-icon Vulnrichment

Updated: 2026-02-24T15:08:38.338Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:04.337

Modified: 2026-02-24T13:17:25.900

Link: CVE-2026-2042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:45:07Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')