Host Header Injection Vulnerability in Nagios XI by Nagios
CVE-2024-14006

8.8HIGH

Key Information:

Vendor

NagiOS

Status
Xi
Vendor
CVE Published:
30 October 2025

What is CVE-2024-14006?

Nagios XI versions prior to 2024R1.2.2 are susceptible to a host header injection flaw. This vulnerability occurs because the application does not validate the user-supplied HTTP Host header thoroughly when generating absolute URLs. An unauthenticated attacker can exploit this weakness by sending a specially crafted Host header. Successful exploitation can lead to various attacks, including the potential for phishing, hijacking account recovery links, and web cache poisoning. It is crucial for users to apply the necessary security updates to ensure their systems are protected.

Affected Version(s)

XI 0

References

https://www.nagios.com/products/security/#nagios-xi
vendor-advisorypatch
https://www.nagios.com/changelog/nagios-xi/
release-notespatch
https://www.vulncheck.com/advisories/nagios-xi-host-heade...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-14006 : Host Header Injection Vulnerability in Nagios XI by Nagios