SQL Injection Vulnerabilities in Nagios XI by Nagios
CVE-2020-36859

8.7HIGH

Key Information:

Vendor: NagiOS
Status: Xi
Vendor: CVE Published:; 30 October 2025

What is CVE-2020-36859?

The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 and Nagios XI 5.7.4 is susceptible to multiple SQL injection vulnerabilities in the object edit pages. This security flaw arises from unsanitized user-supplied input being embedded into SQL queries utilized by the configuration object editors. Authenticated users could exploit these vulnerabilities to inject SQL fragments, potentially leading to unauthorized disclosure or alteration of configuration and application data. In certain circumstances, this could also allow for further threats to the application or the backend database.

Affected Version(s)

XI 0 < 5.7.4

References

https://www.nagios.com/changelog/nagios-xi/

release-notespatch

https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-v...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Oct 29, 2025

Credit

Matthew Aberegg

JSON

NagiOS

What is CVE-2020-36859?

Affected Version(s)

References

CVSS V4

Timeline

Credit