Server-Side Template Injection in Centreon Infra Monitoring Product
CVE-2026-14453

9.6CRITICAL

Key Information:

Vendor

Centreon

Vendor
CVE Published:
13 July 2026

What is CVE-2026-14453?

The Centreon Infra Monitoring product contains a significant Server-Side Template Injection flaw within the centreon-open-tickets module. This vulnerability arises from the message_confirm field being stored without proper sanitization, allowing it to be rendered via Smarty without an enabling security policy. As a result, any authenticated user can inject and execute arbitrary code on the server, potentially leading to unauthorized access to sensitive environment secrets and jeopardizing the overall availability of the platform.

Affected Version(s)

Infra Monitoring 24.10.0

Infra Monitoring 24.10.0 < 24.10.14

Infra Monitoring 25.10.0 < 25.10.9

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo BEZET TORRES
.