CVE Daily
← All tags

Tag: Icinga

All CVEs associated with "Icinga". Page 1/1 • 56 CVEs.

About “Icinga”

A curated feed of “Icinga”-related CVEs appears below. We currently track 56 CVEs for this tag (all time). In the last 365 days, 10 were published. Average CVSS is 6.6 (all time; 5.8 over 365d), and 45% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-276 - Incorrect Default Permissions, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a LOW impact class. Logging and monitoring stacks may expose dashboards or collectors. Patch services, enforce auth and TLS, restrict admin endpoints, rotate tokens, and review data retention. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: icinga

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
2.162.16.1Unavailable-
2.152.15.3-
2.142.14.8 Expired
2.132.13.14 Expired
2.122.12.12 Expired
2.112.11.12 Expired
2.102.12.10 Expired
2.92.9.3 Expired
2.82.8.4 Expired
2.72.7.2 Expired
2.62.6.3 Expired
2.52.5.4 Expired
2.42.4.10 Expired
2.32.3.11 Expired
2.22.2.4 Expired
2.12.1.1 Expired
2.02.0.2 Expired
11.14.2 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Icinga”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-08
High

CVE-2026-42224

ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the conte…

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-04-14
High

CVE-2026-24893

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows a…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2026-02-01
Medium

CVE-2022-50942

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the Eve…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-01-29
Medium

CVE-2026-24414

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissio…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2026-24413

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2025-10-16
Medium

CVE-2025-61909

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped…

CVSS: 4.4 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Medium

CVE-2025-61908

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentati…

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2025-61907

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would ot…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-61789

Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either prote…

CVSS: 5.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
2025-07-16
Low

CVE-2025-53840

Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and se…

CVSS: 2.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-05-27
Critical

CVE-2025-48057

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.…

CVSS: 9.8 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
2025-03-26
Medium

CVE-2025-30164

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL…

CVSS: 4.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2025-27609

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-27406

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allow…

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-27405

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once vis…

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-27404

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once vis…

CVSS: 7.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-23203

Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.4 and 1.11.4 on several director endpoints of REST API. To rep…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-11-12
Critical

CVE-2024-49369

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga…

CVSS: 9.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-08-05
Low

CVE-2024-41811

ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected p…

CVSS: 3.9 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-07-15
Critical

CVE-2024-39915

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject…

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-02-09
Medium

CVE-2024-24819

icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and…

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2024-24820

Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against c…

CVSS: 8.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2023-06-08
Medium

CVE-2023-34096

Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Tra…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-03-08
High

CVE-2022-24716

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server us…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2022-24715

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended direc…

CVSS: 8.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2022-24714

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-08-19
High

CVE-2021-37698

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, Elasticsea…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-07-15
High

CVE-2021-32743

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from versio…

CVSS: 8.8 CWE: CWE-202 - Exposure of Sensitive Information Through Data Queries View on NVD
High

CVE-2021-32739

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a…

CVSS: 8.8 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
2021-07-12
Medium

CVE-2021-32747

Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2021-32746

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-12-15
Critical

CVE-2020-29663

Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.…

CVSS: 9.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-08-19
High

CVE-2020-24368

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2018-12-17
High

CVE-2018-18250

Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item.

CVSS: 7.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Critical

CVE-2018-18249

Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_R…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2018-18248

Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup que…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-18247

Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-18246

Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2018-02-27
High

CVE-2018-6535

An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker.

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2018-6534

An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2018-6533

An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed b…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2018-6532

An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2018-02-02
Medium

CVE-2018-6536

An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes…

CVSS: 5.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-11-24
High

CVE-2017-16933

etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_…

CVSS: 7.0 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-11-18
High

CVE-2017-16882

Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2017-03-27
Medium

CVE-2015-8010

Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-11-28
Low

CVE-2014-8994

The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_statu…

CVSS: 3.6 CWE: CWE-18 View on NVD
2014-03-25
Medium

CVE-2014-2386

Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_l…

CVSS: 5.0 CWE: CWE-189 View on NVD
2014-02-28
Medium

CVE-2014-1878

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote att…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2014-01-15
Medium

CVE-2013-7108

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2013-7107

Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspe…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2013-7106

Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbit…

CVSS: 6.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-01-22
High

CVE-2012-6096

Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow re…

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2012-08-25
High

CVE-2012-3441

The database creation script (module/idoutils/db/scripts/create_mysqldb.sh) in Icinga 1.7.1 grants access to all databases to the icinga user, which allows icinga users to access other databases via…

CVSS: 7.5 CWE: CWE-264 View on NVD
2011-06-14
Low

CVE-2011-2477

Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in Icinga before 1.4.1, when escape_html_tags is disabled, allow remote attackers to inject arbitrary web script or HTML…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2011-2179

Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the exp…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox