Description
Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.
Published: 2026-02-20
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in the esensors_websensor_configwizard_func function of Nagios XI 2026 r1. Because the function fails to sanitize user‑supplied strings before executing a system call, an attacker who authenticates to the service can inject arbitrary shell commands. The impact is the execution of arbitrary code in the context of the service account, enabling full compromise of the host.

Affected Systems

Affected systems are installations of Nagios XI version 2026 r1, commonly deployed as Nagios Host. The issue is present in that release and no other versions are cited, so only this specific release is known to be vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and an EPSS score of 1% suggests a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploits yet. Authentication is required, so attackers need valid credentials or compromised accounts to leverage the flaw, likely via legitimate administrative access. Once authenticated, they can run arbitrary commands with the privileges of the Nagios service account.

Generated by OpenCVE AI on April 18, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nagios XI to version 2026r1-0-1 or later, as released in the official changelog to address the command injection flaw.
  • If immediate upgrade is not possible, disable or restrict access to the esensors_websensor_configwizard_func endpoint for authenticated users.
  • Apply principle of least privilege to the Nagios service account, ensuring it has only necessary permissions to limit damage if the vulnerability is exploited.
  • Validate that input fields are properly sanitized to prevent similar injection flaws in future custom extensions.

Generated by OpenCVE AI on April 18, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nagios nagios Xi
CPEs cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*
Vendors & Products Nagios nagios Xi
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nagios
Nagios host
Vendors & Products Nagios
Nagios host

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.
Title Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nagios Host Nagios Xi
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:12.943Z

Reserved: 2026-02-06T01:14:34.450Z

Link: CVE-2026-2043

cve-icon Vulnrichment

Updated: 2026-02-24T15:10:00.775Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:04.517

Modified: 2026-02-24T13:16:42.467

Link: CVE-2026-2043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses