CVE-2021-3273

7.2 HIGH

Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component

Published: 2021-02-25 · Last updated: 2026-06-17

Severity and scoring

CVSS: 7.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94

Affected products

Vendor	Product
nagios	nagios_xi

Description

Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. To exploit this vulnerability, someone must have an admin user account in Nagios XI's web system.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3273
[Exploit reference]https://gist.github.com/leommxj/93edce6f8572cefe79a3d7da4389374e
[Vendor advisory]https://www.nagios.com/downloads/nagios-xi/change-log/
[Exploit reference]https://gist.github.com/leommxj/93edce6f8572cefe79a3d7da4389374e
[Vendor advisory]https://www.nagios.com/downloads/nagios-xi/change-log/

Related CVEs

Same vendor

CVE-2021-40345 — An issue was discovered in Nagios XI 5.8.5 (7.2 HIGH)
CVE-2021-40344 — An issue was discovered in Nagios XI 5.8.5 (7.2 HIGH)
CVE-2021-40343 — An issue was discovered in Nagios XI 5.8.5 (7.8 HIGH)
CVE-2021-38156 — In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard (5.4 MEDIUM)
CVE-2021-3277 — Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality ... (7.2 HIGH)

Same CWE

CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
CVE-2026-49774 — Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion (9.9 CRITICAL)
CVE-2026-48017 — DbGate is cross-platform database manager (8.8 HIGH)
CVE-2026-48836 — Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions (10.0 CRITICAL)
CVE-2026-48124 — Cursor is a code editor built for programming with AI