QSearchQSearch

CVE-2021-40344

7.2 HIGH

An issue was discovered in Nagios XI 5.8.5

Published: 2021-10-26 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.2 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-434

Affected products

VendorProduct
nagiosnagios_xi

Description

An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-40345 An issue was discovered in Nagios XI 5.8.5 (7.2 HIGH)
  • CVE-2021-40343 An issue was discovered in Nagios XI 5.8.5 (7.8 HIGH)
  • CVE-2021-38156 In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard (5.4 MEDIUM)
  • CVE-2021-3277 Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality ... (7.2 HIGH)
  • CVE-2021-3273 Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component (7.2 HIGH)

Same CWE

  • CVE-2026-40750 Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
  • CVE-2026-6933 The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
  • CVE-2026-40772 Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
  • CVE-2026-39591 Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
  • CVE-2026-39527 Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)