Primary

Context

Lilac-Reloaded for Nagios Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in Lilac-Reloaded for Nagios version 2.0.8. The issue arises in the autodiscovery feature, where the nmap_binary parameter lacks proper input validation. This flaw allows attackers to inject arbitrary commands, such as executing a reverse shell, by sending a crafted POST request to the autodiscovery endpoint.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Lilac-Reloaded is installed.

Reproduction

To reproduce this vulnerability, send a POST request to the autodiscovery endpoint with a payload that includes a command injection in the nmap_binary parameter. The injected command can be crafted to establish a reverse shell connection.

Added: Dec 19, 2025, 9:26 PM

Updated: Dec 19, 2025, 9:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lilac-Reloaded for Nagios Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating