H3-2026-0014¶

Nagios XI SQL Injection Vulnerability

Description¶

Nagios XI prior to version 5.4.13 contains multiple SQL injection vulnerabilities in the administrative web interface. CVE-2018-10735 affects the admin/commandline.php endpoint via the cname parameter, CVE-2018-10736 affects the admin/info.php endpoint via the key1 parameter, and CVE-2018-10738 affects the admin/menuaccess.php endpoint via the chbKey1 parameter. Each vulnerability exists due to insufficient sanitization of user-supplied input before inclusion in SQL queries. Exploitation requires network access to the Nagios XI web interface.

Impact¶

Remote attackers can execute arbitrary SQL commands against the Nagios XI database, enabling unauthorized access to, modification of, or deletion of sensitive monitoring data and credentials. Compromise of the monitoring platform database could expose credentials and configuration details for all monitored infrastructure.

References¶

• NagiosXI 5.4.12 commandline.php SQL injection - Seebug
• NagiosXI 5.4.12 info.php SQL injection - Seebug
• NagiosXI 5.4.12 menuaccess.php SQL injection - Seebug
• NVD: NVD - CVE-2018-10735
• NVD: NVD - CVE-2018-10736
• NVD: NVD - CVE-2018-10738